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Abstract 

This  thesis  presents  the  formal  background  for  a  mathematical  model  for  level-clocked 
circuitry,  in  which  latches  are  controlled  by  the  levels  (high  or  low)  of  clock  signals  rather 
than  transitions  (edges)  of  the  clocks.  Such  level-clocked  circuits  are  frequently  used  in 
MOS  VLSI  design.  Our  model  maps  continuous  data-domains,  such  as  voltage,  into 
discrete,  or  digital,  data  domains,  while  retaining  a  continuous  notion  of  time.  A  level- 
clocked  circuit  is  represented  as  a  graph  G  -  (V,E),  where  V  consists  of  digital 
components-latches  and  functional  elements-- and  E  represents  inter-component 


connections. 


The  majority  of  this  thesis  concentrates  on  developing  lemmas  and  theorems  that  «m  serve 
as  a  set  of  “axioms”  when  analyzing  algorithms  based  on  the  mooel.  Key  axioms  include 
the  fact  that  circuits  in  our  model  generate  only  well  defined  digital  signals,  and  the  fact 
that  components  in  our  model  support  and  accurately  handle  the  ^ndefined^  values  that 
electrical  signals  must  take  on  when  they  make  a  transition  between  valid  logic  levels.  In 
order  to  facilitate  proofs  for  circuit  properties,  the  class  of  computational  predicates  is 
defined.  A  circuit  property  can  be  proved  by  simply  casting  the  property  as  a 
computational  predicate. 
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Abstract 

This  thesis  presents  the  formal  background  for  a  mathematical  model  for  level- 
docked  circuitry,  in  which  latches  are  controlled  by  the  levels  (high  or  low)  of  clock 
signals  rather  than  transiticis  (edges)  of  the  clocks.  Such  level-clocked  circuits  are 
frequently  used  in  MOS  VLSI  design.  Our  model  maps  continuous  data-domains, 
such  as  voltage,  into  discrete,  or  digital ,  data  domains,  while  retaining  a  continuous  ^  ^ 
notion  of  time.  A  level-clocked  circuit  is  represented  as  a  graph  G  =  (V,  £),  where  V 
consists  of  digital  components — latches  and  functional  elements — and  E  represents 
inter-component  connections. 

The  majority  of  this  thesis  concentrates  on  developing  lemmas  and  theorems  that 
can  serve  as  a  set  of  “axioms”  when  analyzing  algorithms  based  on  the  model.  Key 
axioms  include  the  fact  that  circuits  in  our  model  generate  only  well  defined  digital 
signals,  and  the  fact  that  components  in  our  model  support  and  accurately  handle  the 
“undefined”  values  that  electrical  signals  must  take  on  when  they  make  a  transition 
between  valid  logic  levels.  In  order  to  facilitate  proofs  for  circuit  properties,  the  class 
of  computational  predicates  is  defined.  A  circuit  property  can  be  proved  by  simply 
casting  the  property  as  a  computational  predicate. 
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Figure  1:  Shown  is  a  transistor-level  circuit  diagram  for  a  simple  cMOS  level-clocked  circuit.  Labels 
on  electrical  nodes  indicate  the  time  dependent  voltages  computed  for  them  by  the  device-level  simulator 
SPICE. 

1  Introduction 

The  MOS/VLSI  technology  has  popularized  a  methodology  of  clocking  based  on  level- 
clocked  latches  instead  of  the  more  traditional  edge-triggered  latches  used,  for  example,  in 
TTL  design.  The  popularity  of  level-clocking  arises  from  the  simplicity  with  which  a  level- 
clocked  latch  can  be  implemented  in  MOS  technologies:  a  single  transistor  can  suffice. 
Unfortunately,  the  high  device  densities  being  achieved  with  modern  VLSI  fabrication 
processes  preclude  the  possibility  of  performing  detailed  circuit  simulations  of  complete 
level-clocked  circuit  systems.  Consequently,  the  design  and  analysis  of  level-clocked  circuit 
systems  require  models  that  can  sacrifice  detail,  while  maintaining  accuracy. 

The  lowest  level  at  which  level-clocked  circuits  are  modeled  is  commonly  referred  to  as 
the  device  level.  At  this  level,  small  cir  uts  consisting  of  at  most  a  few  dozen  electrical 
devices  are  simulated  in  great  detail,  accord  -  to  empirically  verified  models  for  individual 
device  behavior.  In  general,  signals  being  passed  between  devices  are  time-dependent 
voltages  that  can  take  on  values  in  some  continuous  range.  Thus,  within  the  limitations  of 
floating-point  number  representation,  device-level  models  treat  signals  as  mappings  from 
continuous  time  to  some  continuous  data  domain,  generally  voltage.  Figure  1  shows  the 
output  of  the  device- level  simulator  SPICE  [16],  for  a  simple  cMOS  level-clocked  circuit. 

The  next  two  levels  at  which  level-docked  circuits  are  commonly  modeled  are  referred 
to  as  the  switch  level  and  block  level.  At  these  levels,  large  circuits  of  perhaps  thousands  of 
individual  devices  are  simulated  in  an  attempt  to  uncover  difficulties  with  circuit  function¬ 
ality  and  data-movement  coordination.  Like  device-level  models,  signals  are  generally  still 
mappings  from  continuous  time  to  some  data  domain.  At  these  levels  of  representation, 
however,  the  data  domains  of  signals  are  abstracted  to  be  discrete,  or  digital ,  rather  than 
continuous.  Figure  2  depicts  a  block  level  representation  of  the  level-clocked  circuit  from 
figure  1. 

The  reason  for  the  abstraction  to  digital  data  domains  is  two  fold.  First,  the  abstrac- 
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Figure  2:  Shown  is  &  block  level  representation  of  the  level-clocked  circuit  from  figure  1,  along  with  its 
corresponding  digital  signals.  Note  that  two  of  the  transistors  from  figure  1  have  been  grouped  into  a 
single  “block”  of  combinational  logic,  represented  as  a  logical  inverter,  and  the  remaining  transistor  has 
been  replaced  with  an  abstract  level-docked  latch. 

tion  allows  the  use  of  less  detailed,  and  therefore  less  computationally  intensive,  device 
models,  and  consequently  facilitates  the  simulation  of  circuits  that  contain  large  numbers 
of  electrical  devices.  Second,  the  abstraction  is  a  natural  one,  since  the  vast  majority  of 
level-clocked  circuits  are  used  in  digital  computers,  where  various  voltage  ranges  are  by 
convention  interpreted  as  a  logical  “1”  or  “0.” 

Unfortunately,  the  abstraction  to  digital  signals  can  be  problematic,  since  we  wish 
switch  and  block  level  models  to  accurately  reflect  the  operation  of  a  large  level-clocked 
circuit.  In  this  context,  it  is  not  enough  for  a  model  to  map  an  electrical  signal  into 
a  digital  data-domain  in  a  reasonable  fashion.  A  model  must  also  be  able  to  determine 
whether  the  presumably  unmodeled  device-level  behavior  of  the  level-clocked  circuit  is  such 
that  a  particular  mapping  would  be  appropriate. 

Traditionally,  the  models  used  at  the  block  and  switch  levels  have  focused  more  on 
handling  the  parameters  of  a  general  engineering  situation,  and  less  on  formal  properties. 
Consequently,  the  problem  of  confirming  the  accuracy  of  the  mapping  of  electrical  signals 
into  the  digital  data  domain  has  generally  either  been  deferred  to  the  electrical  engineer,  or 
ignored.  In  addition,  the  relative  de-emphasis  on  formal  properties  has  resulted  in  models 
and  algorithms  that  lack  the  kinds  of  theoretically  rigorous  notions,  algebras  and  bounds 
that  have  been  developed  for  circuits  utilizing  edge-triggered  latches[9,  11). 

This  thesis  presents  the  formal  background  for  a  model  for  level-clocked  circuitry  that 
has  been  formulated  explicitly  to  support  mathematically  precise  manipulation,  while  main¬ 
taining  the  ability  to  accurately  map  electrical  signals.  Features  of  the  model  include  the 
ability  to  support  and  handle  the  “undefined”  values  that  electrical  signals  take  on  when 
they  change  between  valid  logic  levels,  and  the  ability  to  support  formal  proof  techniques, 
such  as  induction.  We  show  that  circuits  in  the  model  always  generate  signals  that  have 
well  defined  values,  and  present  several  lemmas  that  formally  characterize  the  behavior  of 
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individual  circuit  components.  In  addition,  we  define  a  large  class  of  circuit  properties,  the 
computational  predicates ,  and  in  conjunction  develop  the  mechanism  of  computational  or¬ 
dering,  which  conveniently  integrates  the  limit  arguments  used  to  analyze  continuous-time 
systems  into  a  more  easily  manipulated  inductive  framework. 

The  remainder  of  this  thesis  is  organized  as  follows.  Section  2  defines  the  basic  concepts 
of  digital  signals  and  models.  Section  3  presents  our  models  for  individual  circuit  compo¬ 
nents,  and  proves  the  ability  of  individual  components  to  accurately  operate  on  digital 
signals.  Section  4  defines  how  circuit  components  are  hooked  up  into  complete  circuits, 
and  presents  our  representation  of  a  computation  on  a  circuit.  Section  5  develops  the 
mechanism  of  computational  ordering,  and  defines  the  class  of  computational  predicates. 
Section  6  then  uses  computational  predicates  to  prove  that  circuits  in  the  model  possess 
important  basic  properties,  such  as  deterministic  operation.  Finally,  section  7  finishes  with 
some  concluding  remarks  that  do  not  belong  in  the  introduction. 

2  Digital  Signals  and  Models 

In  this  section  we  define  digital  signals  and  their  correspondence  to  the  electrical  signals 
that  they  are  used  to  represent.  Mathematical  definitions  are  given  along  with  intuitive 
descriptions  when  appropriate.  In  addition,  we  introduce  the  concept  of  a  digital  model. 

A  tacit  assumption  throughout  this  thesis  is  that  we  wish  to  accurately  represent  the 
electrical  signals  found  in  real  MOS  circuits,  without  resorting  to  the  powerful,  but  compu¬ 
tationally  intensive,  device-level  simulations  of  systems  such  as  SPICE.  Electrical  signals 
generally  are  time-dependent  electrical  voltages  or  currents  that  vary  over  some  continuous 
range  of  values.  They  are  determined  either  empirically,  or  with  complex  nonlinear  device 
models.  The  assumption  throughout  this  thesis  is  that  electrical  signals  are  represented  by 
time  dependent  signals  that  only  vary  over  some  digital  data-domain,  which  contains  only 
a  countable  number  of  values.  A  digital  model  is  a  model  that  only  handles  signals  with 
digital  data  domains. 

When  signals  with  digital  data  domains  are  used  to  represent  electrical  signals,  there 
must  exist  some  correspondence  of  values  in  the  data  domain  of  the  electrical  signals,  to 
values  in  the  digital  data  domain.  Electrical  signals  in  MOS  circuits,  for  example,  might 
use  voltages  greater  than  or  equal  to  3.5  volts,  and  less  than  or  equal  to  1.5  volts  to 
represent  binary  1  and  0  respectively.  The  correspondence  of  values  in  the  data  domain 
of  the  electrical  signals  to  values  in  the  digital  data  domain  is  the  elementary  mapping  for 
the  data  domain  of  the  electrical  signals. 

Since  digital  models  are  presumably  less  powerful  than  device-level  models,  we  expect 
that  there  are  times  when  a  digital  model  is  not  powerful  enough  to  accurately  perform 
the  elementary  mapping.  Such  times  cm  be  grouped  into  two  broad  categories.  The  first 
category  consists  of  times  when  the  elementary  mapping  does  not  sjpecify  a  value  in  the 
digital  data-domain,  that  for  the  value  of  an  electrical  signal.  At  such  times  the  value  of  a 
digital  signal  is  undeterminable,  because  the  value  that  corresponds  to  the  electrical  signal 
is  undefined  in  the  digital  data  domain.  The  second  category  consists  of  times  when  the 
elementary  mapping  does  specify  a  value  in  the  digital  data  domain,  for  the  value  of  an 
electrical  signal,  but  the  digital  model  does  not  incorporate  sufficient  detail  to  perform  the 
mapping.  At  such  times,  the  value  of  a  digital  signal  is  undeterminable,  because  the  correct 
values  are  effectively  underdefined  by  the  digital  model. 
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Figure  3:  Shown  is  the  level-docked  circuit  from  figure  1,  and  its  time  dependent  voltage  waveforms. 
Times  that  correspond  to  undefined  values  are  shaded. 

Undefined  values  are  generally  due  to  the  fact  that  we  are  mapping  the  the  value  of 
some  continuous  physical  quantity  into  the  discrete  data  domain  of  some  digital  signal. 
For  example,  consider  the  previously  stated  voltage  range  elementary  mapping  for  MOS 
circuits.  Since  voltage  is  a  continuous  physical  quantity,  an  electrical  signal  cannot  change 
from  3.5  to  1.5  volts,  without  taking  on  every  intermediate  voltage.  Times  when  the 
electrical  signal  is  at  some  intermediate  voltage  cannot  be  mapped  to  either  1  or  0,  and 
consequently  correspond  to  a  value  that  is  undefined  in  the  digital  data-domain.  Figure  3 
shows  the  times  that  correspond  to  undefined  values  for  the  circuit  from  figure  1. 

Underdefined  values  can  be  due  to  uncertainty  inherent  to  the  MOS  circuits  being 
modeled.  For  example,  it  is  often  impossible  to  predict  the  exact  time  at  which  an  electrical 
signal  would  change  value,  since  variations  in  circuit  fabrication  processing  make  it  difficult 
to  predict  the  amount  of  time  needed  for  a  change  in  voltage  to  propagate  from  one  piece  of 
circuitry  to  another.  Consequently,  a  transition  in  the  value  of  the  electrical  signal,  implies 
an  underdefined  interval  during  which  an  accurate  representation  of  electrical  signal  in 
a  digital  data  domain  is  not  possible.  In  general,  this  interval  is  made  large  enough  to 
encompass  all  times  at  which  the  transition  might  actually  occur. 

In  general,  however,  underdefined  values  are  due  to  the  desire  to  avoid  computing  the 
solutions  to  computation  intensive  problems.  For  example,  in  section  3,  it  will  be  assumed 
that  a  change  in  the  value  of  an  input  to  a  circuit  component,  forces  the  output  of  the 
component  to  be  considered  underdefined.  This  constraint  is  excessive,  since  there  are 
circuits,  such  as  a  typical  nMOS  NOR  gate,  where  inputs  can  sometimes  change  value 
without  affecting  the  value  of  the  output.  Unfortunately,  the  general  problem  of  deter¬ 
mining  whether  a  circuit  falls  into  this  category  is  NP-complete  [3],  and  consequently  is 
likely  to  be  computationally  intractable.  Thus,  while  changing  inputs  do  not  actually  imply 
that  the  output  of  a  circuit  cannot  be  mapped  into  a  digital  data  domain,  the  output  is 
effectively  underdefined,  since  modern  computing  machinery  cannot  compute  the  mapping 
efficiently. 
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In  order  to  model  underdefined  and  undefined  values,  we  introduce  into  every  digital 
data-domain  the  special  symbol  JL,  which  is  specifically  used  to  represent  undefined  and 
underdefined  values.  The  explicit  representation  of  underdefined  and  undefined  values  is 
important,  since,  as  we  shall  see  in  section  3,  underdefined  and  undefined  values  have  a 
significant  impact  on  how  circuits  behave. 

A  digital  signal  is  essentially  a  mapping  from  time  to  some  discrete,  or  digital ,  data 
domain  P,  typically  {0, 1},  where  P  does  not  contain  the  reserved  symbol  X.  Elements  of 
P  are  valid  digital  values,  while  the  symbol  X  is  the  invalid  digital  value  that  we  use  to 
represent  underdefined  and  undefined  values.  Each  element  of  P  is  assumed  to  correspond 
to  some  subset  of  the  continuous  data  domain  for  the  modeled  electrical  signal,  just  as 
“1”  and  “0”  correspond  to  voltage  ranges  in  the  description  of  figure  3.  We  also  assume, 
however,  that  as  the  value  of  an  electrical  signal  changes  from  a  subset  that  corresponds 
to  one  valid  value,  to  a  subset  that  corresponds  to  another,  there  exists  an  interval  of  time 
during  which  its  value  does  not  correspond  to  any  element  of  P.  During  such  intervals, 
the  value  of  a  digital  signal  is  the  invalid  value  X.  The  following  mathematical  definition 
formalizes  this  characterization. 

Definition.  A  digital  signal  over  a  discrete  data-domain  P  is  a  mapping  s  : 

]R  U  {—  oo}  — ♦  P  U  {X},  that  satisfies  the  following  two  properties. 

•  For  each  x  €  P,  the  values  t ,  such  that  s(t)  =  x ,  form  a  set  STABLE (s,x)  of 
nonoverlapping  closed  intervals. 

•  For  each  x  €  P,  the  set  STABLE(s,  x)  is  locally  finite ,  that  is,  for  all  tj,  t2  €  IR, 
the  number  of  intervals  in  STABLE(s,x)  H  [fi,  t2\  is  finite. 

Observe,  that  when  an  digital  signal  changes  from  one  valid  value  to  another,  the  first 
property  implies  that  there  exists  a  well  defined  last  moment  in  time  when  it  takes  on  the 
first  value,  a  well  defined  first  moment  in  time  when  it  takes  on  the  second  value,  and  an 
open  interval  of  time  between  them  where  it  takes  on  the  invalid  value  X.  In  addition, 
the  second  property  excludes  any  signal  whose  value  changes  infinitely  often  within  a 
finite  period  of  time,  thus  guaranteeing  that  there  exists  an  order-preserving  mapping  from 
stable  intervals  to  the  integers.  The  order  preserving  mapping  to  the  integers  is  of  great 
significance  in  section  5,  where  we  perform  inductions  on  digital  signals.  Finally,  while  we 
expect  the  data  domain  for  signals  to  be  circuit  dependent,  for  convenience  we  generally 
assume  that  all  signals  in  a  circuit  share  a  common  data  domain  P. 

We  say  a  digital  signal  is  stable  over  an  interval  of  time  if  it  assumes  a  constant  valid 
value  over  the  interval.  By  definition,  a  stable  signal  is  constant.  A  constant  signal  need 
not  be  stable,  however,  since  a  signal  could  be  constant  with  the  invalid  value  X.  We 
specifically  use  the  term  constant  to  indicate  that  a  signal  that  could  also  be  constant  with 
value  X.  Observe,  that  by  definition,  a  digital  signal  is  stable  over  any  interval  that  is  an 
element  of  STABLE(s,x),  for  some  x  €  P. 

3  Ideal  Circuit  Components 

This  section  presents  our  model  for  individual  circuit  components.  We  begin  with  an 
overview  of  what  circuit  components  are,  and  how  our  model  represents  circuit  component 
behavior.  Then  for  each  type  of  circuit  component  we  present  an  intuitive  description  of 
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the  behavior  of  the  component,  describe  how  underdefined  and  undefined  values  affect  this 
behavior  and  present  our  mathematical  model  for  the  component.  In  addition,  several 
basic  lemmas  are  presented.  These  lemmas  serve  as  a  basic  set  of  “axioms”  for  subsequent 
theorems,  and  their  proofs  provide  a  valuable  opportunity  to  become  familiar  with  different 
aspects  of  our  models  for  circuit  components. 

In  the  broadest  sense,  a  circuit  component  is  anything  that  can  be  used  as  part  of  a 
complete  circuit.  At  the  device  level,  common  components  are  wires,  transistors,  resistors 
and  capacitors.  At  the  block  level,  it  is  common  to  encounter  more  abstract  components 
such  as  logic  gates  and  ALUs.  In  general,  the  behavior  of  a  circuit  component  at  the  block 
level  is  defined  by  the  relationship  between  the  inputs  and  output  of  the  component,  and 
not  by  the  physical  objects  with  which  the  component  is  realized. 

Our  model  groups  circuit  components  into  two  basic  categories.  The  first  category 
includes  the  latches  that  control  the  movement  of  data  within  a  circuit.  The  behavior  of 
latches  is  carefully  represented  in  our  model.  The  second  category  includes  all  components 
that  are  not  latches.  This  category  includes  everything  from  device-level  components  such 
as  transistors,  to  block-level  components  such  as  logic  gates.  Components  in  this  category 
are  called  functional  elements.  Since  the  behavior  of  functional  elements  can  range  between 
the  extremely  simple  and  the  very  complex,  our  model  represents  their  behavior  in  a  generic 
fashion. 

Latches  are  placed  in  their  own  category  for  two  reasons.  First,  since  latches  control  data 
movement  within  a  circuit,  they  are  the  components  of  primary  concern  when  performing 
circuit  verification  operations,  such  as  timing-analysis  [2,  4,  5,  7,  12,  15].  Second,  while 
most  types  of  functional  elements,  such  as  transistors  or  logic  gates,  are  grouped  into 
larger  components  at  higher  levels  of  abstraction,  latches  often  remain  atomic  and  exhibit 
essentially  the  same  behavior.  Consequently,  latches  enjoy  the  unique  position  of  being 
considered  important  fundamental  components  at  almost  all  levels  of  circuit  modeling. 

Our  model  represents  circuit  components  with  digital  circuit  components.  An  digital 
circuit  component  is  an  abstract  object  that  has  some  number  k  of  digital  input-signals 
it,  X2, . . . ,  Xfc,  a  single  digital  output-signal  y ,  and  a  constraint 

LEGAL(y,xi,x2,...,xfc,f) 

that  if  satisfied  at  time  t  indicates,  that  the  input  signals  and  the  output  signal  are  consis¬ 
tent  with  the  behavior  of  the  component.  Observe  that  since  arbitrary  digital  signals  can 
be  used  as  the  inputs  and  outputs  of  digital  components,  digital  components  do  not  gen¬ 
erate  outputs  in  the  traditional  sense.  In  general  we  assume  that  input  and  output  signals 
are  given  and  specified  over  all  time.  Under  this  assumption,  the  issue  is  not  “what”  the 
value  of  a  particular  digital  signal  is,  but  rather  whether  a  set  of  digital  signals  satisfies 
the  constraint  Legal  when  its  elements  are  used  as  the  input  and  output  signals  of  some 
digital  component. 

We  separately  examine  the  digital  components  used  to  model  functional  elements  and 
latches  in  the  following  two  subsections.  Definitions  of  the  Legal  constraints  are  given, 
along  with  intuitive  descriptions  where  appropriate. 
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Figure  4:  A  digital  functional  element  haa  some  finite  number  k  of  digital  input  signals  thru  z»,  a 
single  digital  output  signal  y,  an  associated  fc-input  function  /,  and  a  propagation  delay  d.  When  an 
input  changes,  the  output  must  immediately  be  X  and  cannot  be  a  valid  value  until  a  time  equal  to  the 
propagation  delay  d  after  the  change  in  the  input. 


3.1  Functional  Elements 

At  an  intuitive  level,  a  functional  element  is  a  component  whose  output  signal  is  some 
function  /  of  its  input  signals.  In  addition,  a  functional  element  has  associated  with  it 
a  “settling”  time,  or  propagation  delay  <f,  that  indicates  the  amount  of  time  required  for 
the  output  to  assume  its  correct  value  after  an  input  changes.  This  propagation  delay  in 
general  varies  with  the  particular  input  involved,  and  with  the  specific  value  that  the  input 
changed  to  or  from. 

Underdefined  and  undefined  inputs  to  functional  elements  represent  special  difficulties, 
due  to  the  wide  variety  of  circuit  components  that  get  grouped  as  functional  elements. 
Intuitively,  an  input  to  a  functional  element  being  underdefined  or  undefined,  should  imply 
that  the  output  of  the  functional  element  is  also.  Similarly,  the  output  of  a  functional  ele¬ 
ment  should  be  underdefined  or  undefined  for  at  least  one  propagation  delay  after  a  change 
in  the  value  of  some  input  signal.  As  mentioned  in  section  2,  however,  there  exist  circuits 
whose  outputs  can  be  well  defined,  even  if  one  or  more  inputs  are  not.  Unfortunately, 
verifying  that  an  arbitrary  functional  element  falls  into  this  category  is  likely  to  be  too 
computationally  expensive  to  be  practical. 

We  model  functional  elements  with  a  digital  component.  A  digital  functional  element 
has  some  finite  number  k  of  digital  input  signals  x\  thru  x*,  a  single  digital  output  signal 
y,  an  associated  ifc-input  function  /,  and  a  propagation  delay  d,  as  shown  in  figure  4.  The 
constraint  LEGAL(y,Xi,X2, . . .  ,z*,t)  for  a  functional  element  is  satisfied  at  time  t,  if  and 
only  if  the  signals  y,  xj,  xj, . . . ,  x*  satisfy  the  following  equation: 


y(0- 


/(xi(t),x2(t), . . .  ,x*(t))  if  x,  is  stable  for  all  x  =**1,2, . . . ,  Jfc 

over  the  interval  [f  —  d,  t], 

X  otherwise. 


(1) 


There  are  three  features  of  equation  1  that  should  be  noted.  First,  if  an  input  signal  changes 
value  and  the  output  signal  is  to  satisfy  LEGAL,  the  output  signal  must  immediately  be 
X  and  cannot  be  a  valid  value  until  a  time  equal  to  the  propagation  delay  d  after  the 
change  in  the  input.  Second,  if  any  input  signal  is  X  at  time  t,  by  definition  it  is  not 
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Figure  5:  Shown  u  a  simple  circuit  that  implements  a  level-docked  latch.  The  latch  baa  input  signal  r. 
output  signal  y  and  clock  signal  4.  When  4  is  high,  y  follows  x.  When  4  is  low,  y  holds  the  value  it  had 
when  4  was  most  recently  high. 

stable  at  time  t,  and  thus  LEGAL  constrains  the  output  signed  to  be  i..  Observe  that  these 
features  are  equivalent  to  the  previously  described  intuitive  notions  of  underdefined  and 
undefined  values.  Without  these  features,  our  model  would  be  prone  to  computational 
intractability  difficulties.  The  third  feature  to  note  is  that  digital  functional  elements  are 
characterized  by  only  a  single  propagation  delay  d.  The  fact  that  d  does  not  vary  over  the 
different  inputs  is  simply  for  convenience.  The  fact  that  d  does  not  vary  over  the  different 
values  for  inputs  is  significant,  since  this  type  of  propagation  delay  would  also  introduce 
computational  intractability  problems. 

Digital  functional  elements  can  be  used  to  represent  more  general  circuit  components, 
much  as  ideal  electrical  components  are  used  to  model  real  physical  devices.  For  example, 
a  functional  element  with  multiple  outputs  can  be  represented  with  several  one-output 
digital  functional  elements.  As  another  example,  a  functional  element  whose  propagation 
delay  varies  with  the  input  signal  can  be  represented  with  a  zero-delay  functional  element, 
each  of  whose  input  signals  is  the  output  signal  of  a  functional  element  that  computes  the 
identity  function  and  whose  propagation  delay  is  the  input-to-output  propagation  delay  of 
the  original  functional  element. 

3.2  Level-Clocked  Latches 

Level-clocked  latches  are  latches  that  are  controlled  by  the  level  (high  or  low)  of  a  clock 
signal  rather  than  a  transition  (edge)  of  the  clock.  Latches  are  three-terminal  components 
that  are  used  to  store  and  propagate  data.  A  latch  takes  a  single  input  signal  and  a  single 
clock  signal,  and  produces  a  single  output  signal.  A  level-clocked  latch  has  the  following 
general  behavior.  While  the  clock  for  a  level-clocked  latch  is  high,  the  output  of  the  latch 
is  equal  to  its  input.  When  the  clock  changes  to  low,  the  latch  stores  the  value  of  its  input 
and  outputs  this  value  until  the  the  clock  changes  back  to  high.  Figure  5  shows  a  simple 
implementation  for  a  level-clocked  latch,  along  with  an  illustrative  set  of  input/output 
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signals.  Such  level-clocked  latches  are  frequently  used  in  MOS  VLSI  design. 

The  implications  of  underdefined  and  undefined  values  on  the  input  signal  of  a  level- 
clocked  latch  are  fairly  straight-forward.  If  the  clock  input  of  the  latch  is  high,  an  undefined 
or  underdefined  value  on  the  input  signal  implies  an  undefined  or  underdefined  value  on  the 
output  signal,  since  the  input  and  output  are  equal.  If  the  clock  input  is  low,  an  undefined 
or  underdefined  value  on  the  input  signal  implies  nothing  about  the  value  on  the  output, 
since  the  latch  is  outputting  the  value  stored  from  the  last  time  the  clock  was  high. 

If  our  only  concern  were  underdefined  and  undefined  values  on  the  input  signal  of  a 
level-clocked  latch,  then  we  could  describe  the  behavior  of  a  digital  level-clocked  latch  with 
an  equation  similar  to  the  following: 

{x(t)  if  <t>(t)  =  High 

y(Vhifh)  if  =  Low  and  (2) 

Vh igh  =  sup  {t1  <  t :  <j>(t')  —  High} 

where  x,  y  and  <t>  are  the  respectively  the  input  signal,  output  signal  and  clock  signal  of 
the  latch.  Observe  that  no  explicit  reference  to  J.  needs  to  occur,  since  the  only  source  of 
J.  values  is  the  input  signal  x. 

Unfortunately,  equation  2  does  not  consider  the  more  complex  implications  of  underde¬ 
fined  and  undefined  values  on  the  clock  signal.  If  the  clock  signal  is  underdefined,  then  we 
do  not  know  whether  its  value  is  high  or  low.  Observe,  however,  that  the  output  could  be 
independent  of  the  clock,  and  therefore  well  defined  even  if  the  clock  signal  is  underdefined. 
Consider,  for  example,  if  the  input  signal  held  a  constant  value  X  for  ail  time.  Introducing 
underdefined  values  into  the  clock  signal  would  in  general  have  no  effect  on  the  output 
signal.  To  see  this,  consider  the  possible  values  that  the  clock  could  have.  If  the  clock  were 
high,  the  output  would  have  value  X.  If  the  clock  were  low,  the  output  would  be  the  value 
of  the  input  at  the  last  time  the  clock  was  high  and,  if  we  assume  that  the  clock  had  been 
high  in  the  past,  the  output  would  again  have  value  X.  What  is  needed  is  a  model  similar 
to  equation  2-  that  retains  a  valid  output  value  whenever  the  underdefined  values  of  the 
clock  signal  cannot  affect  the  output  value. 

Properly  addressing  the  implications  of  undefined  clock  signal  values  would  require  an 
in-depth  discussion  of  electrical  device  models  and  general  VLSI  design  methodologies, 
that  is  beyond  the  scope  of  this  thesis.  We  make  the  broad  assumption  that  underdefined 
and  undefined  clock  signal  values  can  be  considered  to  be  equivalent.  Any  of  the  VLSI 
references  (2,  13]  can  be  consulted  if  verification  of  this  assumption  is  desired. 

Formulating  a  model  that  properly  handles  underdefined  clock  signal  values  is  not 
straight  forward,  because  of  the  many  different  cases  that  the  model  must  address.  For 
example,  it  is  not  clear  apriori  that  an  underdefined  clock  value  immediately  after  a  high 
clock  value  can  be  treated  in  the  same  way  as  an  underdefined  clock  va)ue  immediately  after 
a  low  clock  value.  Similarly,  there  is  the  question  of  how  to  treat  intervals  of  underdefined 
values,  where  presumably  the  underdefined  interval  may  represent  a  clock  signal  that  in 
reality  changed  from  high  to  low  multiple  times  during  the  interval.  Under  what  conditions 
can  we  guarantee  that  the  output  remains  well  defined  regardless  of  what  clock  signal  that 
the  underdefined  value  represents? 

Fortunately,  we  can  show  that  the  following  definition  for  a  digital  latch  has  the  qualities 
that  we  desire.  A  digital  latch  has  a  digital  input  signal  x,  a  digital  output  signal  j/,  and 
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Figure  6:  A  digital  latch  has  a  single  digital  input  signal  z(t),  a  single  digital  output  signal  y(t),  and  an 
associated  digital  clock  signal  <t>. 

a  digital  clock  signal  as  shown  in  Figure  6.  A  digital  clock  signal,  is  a  digital  signal 
with  the  data  domain  {High,  Low}.  The  constraint  LEGAL(y,x,^,t)  for  a  ideal  latch  is 
satisfied  at  time  t,  if  and  only  if  the  signals  y,  x  and  <f>  satisfy  the  following  equation: 

x(t)  if  <j>(t)  =  High 

iid)  If  =-L  and  x(t )  ®  y(t^-v«ijd) 
for  all  t1  €  (t*-v«iid,<]> 

y(Vviid)  if  ^(t)  =  LOW  and  x(t')  =  y(t*_v.iid) 
for  all  t  €  (invalid)  f  4-invalid)  i 

J.  otherwise, 

where 

Vinvalid  =  SUp  {t'  <  t  :  <j>(t')  =l} 

and 

f*-v»ud  =  sup  {t'  <t :  and  3 1"  €  (f',<]  such  that  <j>(t ")  =JL}  . 

The  time  f  4.  in  valid  is  intuitively  the  most  recent  time  that  the  value  of  4>  changed  from  X  to 
a  valid  value.  Similarly,  the  time  *4.  valid  is  intuitively  the  most  recent  time  that  4>  made  a 
transition  from  a  valid  value  to  J_.  Figure  7  shows  a  digital  clock  signal  <f>,  and  t*.  valid  and 
invalid  for  t  —  25ns  and  t  =  40ns. 

Fo'  he  remainder  of  this  thesis,  we  will  be  manipulating  intervals  that  are  frequently 
deL  id  by  values  such  as  Vin valid  and  *4.  valid-  Unfortunately,  since  the  supremum  of  a 
set  is  not  necessarily  a  member  of  the  set,  use  of  a  supremum  to  define  the  start  or  end  of 
an  intc.  •  _  can  lead  to  ambiguities  with  regard  to  whether  the  interval  is  open  or  closed. 
Rather  man  always  explicitly  enumerate  the  various  possibilities  of  open,  closed,  half-open- 
below  and  half-open- above,  we  adopt  the  convention  of  using  the  delimiters  and  T  l<> 
indicate  that  the  inclusion  of  the  start  or  end  point  of  an  interval  will  vary  from  situation 
to  situation.  For  example,  the  expression  (f„fe) j  denotes  the  interval  containing  (t„te) 
and  possibly  t, ■  Except  when  noted  otherwise,  however,  it  is  assumed  that  the  inclusion 
or  exclusion  of  an  end  point  is  constant  for  any  particular  interval.  Consequently,  given  an 
interval  fj,  a  subinterval  such  as  £ t„  t't ]  or  a  derived  interval  such  as  It,  -  x,  t J  would 
contain  t,  and  t,  -  x,  if  and  only  if  the  original  interval  contained  t,. 
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Figure  7:  Shows  is  a  digital  clock  signal  and  t^. valid  ud  t ^.invalid  f°r  *  =  25ns  and  t  =  40ns. 

We  can  obtain  an  intuitive  feel  for  equation  3,  by  assuming  that  LEGAl(y,x,<^,  t)  is 
TRUE  for  all  times  t,  and  viewing  y  as  a  function  of  x  and  <f>.  When  4>  is  High,  y  follows 
x  and  the  latch  behaves  like  a  functional  element  computing  the  identity  function.  When 
<f>  is  invalid,  y  follows  x  as  long  as  x  holds  the  value  y  had  at  the  last  transition  of  (f>.  If  x 
changes  value  while  4>  is  invalid,  the  value  of  y  becomes  invalid.  Finally,  when  <p  is  Low, 
y  effectively  holds  the  value  it  had  when  4>  most  recently  changed  value  to  Low.  To  see 
this,  recall  that  <f>  must  equal  JL  before  becoming  Low  and  note  that  the  conditions  for  4> 
equal  to  Low  and  X  are  identical  until  the  most  recent  transition  of  <fr. 

The  following  five  lemmas  formally  verify  that  equation  3  is  such  that  digital  latches 
exhibit  the  types  of  behavior  that  we  desire.  Lemma  3.1  addresses  the  case  where  <f>  has 
value  Low,  while  lemmas  3.2  and  3.3  examine  the  more  involved  case  where  <j>  has  value  1. 
The  case  where  <f>  has  value  HIGH  is  sufficiently  simple  not  to  warrant  separate  discussion. 
Lemmas  3.4  and  3.5  prove  a  pair  of  lemmas  that  are  presented  here  for  convenience,  but 
are  used  in  section  6. 

Lemma  3.1  states  that  the  output  of  a  level-clocked  latch  must  be  constant  when  its 
clock  input  has  value  Low.  The  lemma  verifies  the  ability  of  a  digital  latch  to  hold  state 
information,  and  isolate  its  output  signal  from  changes  in  its  input  signal.  These  abilities 
are  important,  since  level-clocked  latches  with  Low  clock  inputs  are  in  general  used  for 
precisely  these  purposes.  In  addition,  the  lemma  is  needed  for  the  proofs  of  lemmas  3.2 
and  3.3. 

Lemma  3.1  Let  -v  be  the  input  signal,  s„  be  the  output  signal,  and  4>  be  the  clock  signal 
of  an  ideal  latch,  where  LEGAL(sv,  V)  T)  for  the  latch  is  satisfied  for  all  time  T.  If  4>  is 
Low  over  the  interval  then  sv  must  be  constant  over  the  inierval 

Proof:  If  <f>  is  Low  over  the  interval  te J,  equation  3  specifies  that  for  any  time  t  during 

te) j,  the  value  of  sv  is  determined  in  one  of  two  possible  ways.  Either  the  condition  that 
sv<(t')  as  sv(t+ for  all  t'  €  (4-v»iid,  is  satisfied  and  sv(t)  =  s„(f*.v»iid)  or  it  is 

not  satisfied  and  sv(t)  =-L. 

Observe,  however,  that  by  definition  and  invalid  must  both  be  less  than  or  equal 
to  t„  and  moreover  must  both  be  constant  for  the  entire  interval  Consequently, 

if  the  condition  that  sv-(T)  =  sv(f*.v»ii<i)  for  all  T  €  (**.v*iid»  *4-mv«iid)  is  satisfied  at  any 
time  during  then  it  must  be  satisfied  for  all  time  during  Similarly,  if  the 
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condition  is  not  satisfied  at  some  time  during  j(f,,te)j,  then  it  cannot  be  satisfied  at  any 
time  during  j[tt,  tejj.  In  either  case,  s„(f)  must  be  constant,  either  with  value  sv(Vvaiid)  or 
X,  for  all  t  €  £*„*«)}.  I 

Lemmas  3.2  and  3.3  examine  the  behavior  of  a  digital  latch  whose  clock  input  is  under- 
defined  and  X.  Our  eventual  goal  is  to  verify  that  LEGAL  constrains  the  output  signal  of 
a  latch  to  be  underdefined  and  X  at  time  t,  if  and  only  if  the  input  signal  or  clock  signal 
of  the  latch  is  underdefined  and  X  at  some  time  t'  that  cam  make  the  value  of  the  output 
signal  at  time  t  ambiguous  and  thus  underdefined. 

Lemma  3.2  begins  by  demonstrating  that  the  output  sign  ail  of  a  latch  cannot  be  vadid 
if  underdefined  clock  signal  values  make  the  output  signal  value  ambiguous.  Proof  of  the 
lemma  is  based  on  the  observation  that  if  <$>  has  underdefined  values,  then  there  exists 
another  clock  signal  <j>\  that  represents  the  electrical  signal  that  corresponds  to  <f>  more 
accurately.  The  lemma  states  that  if  LEGAL(su,sv<,  4>,t)  is  satisfied,  and  sv(t)  is  a  valid 
vadue,  then  LEGAL(sv,  sv«,  4>' ,  t)  must  also  be  satisfied,  for  any  possible  <f>'. 

Lemma  3.2  Let  s„/  be  the  input  signal,  s„  be  the  output  signal  and  <f>  be  the  clock  signal 
of  an  ideal  latch,  where  LEGAL(sv,  3v>,  4>,  T)  for  the  latch  is  satisfied  for  all  time  T.  If 
s„(f)  /X,  then  for  all  digital  clock  signals  <p' ,  that  equal  <)>  for  all  t'  such  that  4>(t')  is  valid, 
LEGAL(sv,  sv>,  d>',  t)  for  the  latch  is  satisfied. 

Proof:  If  <t>  equals  High  at  time  t ,  the  lemma  holds  trivially,  since  <f>'  must  also  be  HIGH 
at  time  t  and  therefore  Legal(s„,sv/,  <M)  and  Legal(s„,sv»,<^',  t)  both  require  that  sv(t) 
equals  sv>.  In  addition,  none  of  the  clauses  of  equation  3  ever  reference  any  signad  values  for 
times  not  in  the  interval  lid,  *]•  Consequently,  we  can  assume  without  loss  of  generality 
that  4>  is  not  equal  to  High  at  time  t,  and  4>  and  <f>'  are  equal  except  over  the  interval 

valid,  invalid)},  where  £4- invalid  is  in  the  interval  if  ^invalid  equals  t. 

To  begin,  consider  the  implications  of  sv(t)  ^X.  If  <t>  is  not  High  at  time  t,  and 
LEGAL(sv,  sv',  <t>,  t)  is  satisfied  for  all  time,  then  sv(t)  ^X  implies  that  sv(t)  equals  s„(f*.valid) 
and  3V>  equals  -sw(4-vaiid)  over  (invalid,  invalid]}-  In  addition,  since  for  all  X  in  (V valid,  Vin valid) 
o(T)  equals  X  and  7^.u,vaiid  equals  T,  we  can  use  equation  3  to  conclude  that  sv  also  equals 
Sv(Vvaiid)  over  Invalid,  f*-invaiidjj-  In  addition,  if  <j>  equals  Low  at  t,  we  observe  that  for  all 
T  in  [^invalid,  <],  <t>(T)  equals  Low,  and  the  interval  (7*.vaiid>  ^.invalid)  is  constant  and  equal 
to  (t^. valid,  invalid),  and  consequently  we  can  once  again  use  equation  3  to  conclude  that  sv 
also  equals  aiid)  over  [t^-invaiid,  t}.  Combining  the  preceding  arguments,  we  conclude 
that  if  sv(t)  is  not  X,  then  sv  and  sv»  must  both  be  stable  and  equal  to  sv(**-vaiid)  over  the 
interval  (Vvalid,*]- 

The  remainder  of  the  proof  is  divided  into  two  parts.  The  first  part  shows  that  the 
lemma  holds  if  4>'  equals  4>  except  over  some  closed  subinterval  of  (t*.  valid,  ^invalid ]j  where 
<t>'  is  either  HIGH  or  Low  over  the  entire  subinterv&l.  The  second  part  uses  the  result  of 
the  first  part  to  show  the  lemma  for  any  <j>'  that  equals  <f>  except  over  (invalid,  ^invalid]}- 

Assume  that  d>'  equals  <t>  except  over  some  closed  subinterval  of  (t*.  valid,  invalid]},  [t»,  fe], 
where  <j>'  is  stable  over  the  subinterval.  If  ^  is  Low  at  time  t ,  then  <t>'  is  also  Low  at  time 
<,  and  Legal(sv,  3V',  t)  is  satisfied  if  s„(f)  equals  sv(f*'.Vai»d)  and  su/(T)  =  s„(V.Vaiid)  for 
all  T  €  (V-valid,  <d'-invaiid)-  Observe,  however,  that  (V- valid,  V- invalid)  must  be  a  subinterval 
of  f t a- valid,  f ^-invalid),  since  t^'.vaiid  equals  fg  and  t ^'.invalid  equals  invalid-  Consequently,  since 
sv  and  svi  must  both  be  stable  and  equal  to  sv( invalid)  over  the  interval  (t*.Vaiid,  t],  we 
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conclude  that  LEGAL(3„,s„<,^/,  t)  is  satisfied.  An  identical  argument  applies  when  <f>  is  X 
at  time  t,  and  therefore  we  conclude  that  Legal(s„,sv<,  4>',t)  must  be  satisfied  if  <f>'  equals 
4>,  except  over  some  closed  subinterval  of  (V valid,  <*-inv»ud)l,  where  <t>'  is  stable  over 

the  subinterval. 

By  repeating  the  preceding  argument,  we  can  conclude  that  the  lemma  holds  for  arbi¬ 
trary  closed  interval  differences  between  <f>'  and  <j>  during  (invalid,  invalid^-  Consequently,  all 
that  remains  to  be  shown  is  that  the  lemma  holds  for  any  possible  open  interval  differences 
between  4>'  and  <t>,  during  (<*.v*ud,  4-inv»iid]j- 

Open  interval  differences  between  and  <t>,  during  (t^-vaiid,  *d-invaiid)j,  are  in  general  not 
permissible,  since  <$>'  would  no  longer  be  a  digital  clock  signal.  The  exceptions  are  the  two 
intervals  (Vvaiid,  t,}  and  [te,  *d-invaiid),  where  tt  and  tt  are  in  the  interval  (**.v«i»d,  t*.mv«jid ]j- 
If  4>  is  stable  with  the  appropriate  values  over  these  intervals,  the  effect  would  be  to  once 
again  make  the  interval  (V-vdid,  V-inv^dfl  a  subinterval  of  (<*-v«iid,4.mv*ud}j-  As  before, 
however,  since  sv  and  v  must  both  be  stable  and  equal  to  sv(<d-v*iid)  over  the  interval 
(td-vaUd,  <],  we  know  that  sv  and  su<  must  both  be  stable  and  equal  to  sv(I*.v aUd)  over  the 
interval  (f^'-valid,  *]»  and  therefore  that  LEGAL (sv,sv',<j>',t)  must  be  satisfied.  | 

Unfortunately,  lemma  3.2  only  states  that  equation  3  does  not  wrongly  require  an  output 
signal  to  be  valid.  Consequently,  it  is  of  limited  usefulness,  since  it  would,  for  example, 
trivially  hold  if  LEGAL  for  a  latch  required  that  the  output  signal  for  the  latch  always  be 
X.  Observe,  however,  that  the  converse  of  lemma  3.2  is  not  true,  since  an  input  signal 
value  of  X  is  another  possible  reason  for  the  output  signal  of  a  latch  to  be  invalid. 

Lemma  3.3  is  analogous  to  the  converse  of  lemma  3.2,  but  takes  into  account  the  fact 
that  invalidity  of  the  input  signal  can  affect  the  output  signal.  Specifically,  it  states  that  if 
the  output  signal  of  a  latch  is  X,  then  some  ambiguity  introduced  by  an  underdefined  clock 
signal  either  itself  introduces  ambiguity  about  the  value  of  the  output  signal,  or  allows 
ambiguity  about  the  value  of  the  input  signal  to  be  transferred  to  the  output  signal. 

Lemma  3.3  Let  sv>  be  the  input  signal,  sv  be  the  output  signal  and  <f>  be  the  clock  signal 
of  an  ideal  latch,  where  LEGAL(sv,  .v,  d>,  T)  for  the  latch  is  satisfied  for  all  time  T.  If 
sv(t)  =X,  then  there  exist  digital  clock  signals  <j>',  <j>\  and  d>'2,  that  equal  4>  for  all  t'  such 
that  4>{t')  is  valid,  and  either 

1.  Legal(s'„,  s„<,  4>\,  t)  and  LEGAL {s,v,sv',<f>2,t)  cannot  both  be  satisfied  by  any  possible 
signal  output  signal  s'u  whose  value  at  time  t  is  valid,  or 

2.  Legal(sv,  sv>,  <j>',  t)  constrains  av(0  to  be  the  value  of  sv'(t')  for  some  t'  less  than  or 

equal  to  t,  where  is  X. 

Proof:  The  strategy  for  the  proof  is  to  examine  each  of  the  conditions  that  that  allow 
sv(t)  to  equal  X  when  LEGA l(sv,  sv>,  d>\t)  is  satisfied.  In  each  case,  foe  show  that  at  least 
one  of  the  conditions  stated  in  the  lemma  hold. 

If  d>  equals  HIGH  at  time  t,  the  lemma  holds  trivially,  since  Legal(sv,sv/,^,  I)  itself 
constrains  s„(t)  to  be  the  value  of  sv<(t).  In  addition,  none  of  the  clauses  of  equation  3  ever 
reference  any  signal  values  for  times  not  in  the  interval  (t*.v*iid,  <]•  Consequently,  we  can 
assume  without  loss  of  generality  that  4>  is  not  equal  to  HIGH  at  time  <,  and  <t>',  4>\  and  <t>'2 
are  equal  to  4> ,  except  over  the  interval  (t*.vaiid,  <*-inv«iid)j,  where  t^inv*iid  is  in  the  interval  if 
i^iovtiid  equals  t . 
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Figure  8:  The  figure  illustrates  how  #  from  lemma  3.3  is  constructed. 

There  are  two  cases  to  consider  if  4>  equals  Low  at  time  t.  If  ^  equals  Low  at  time  t 
and  Legal(sv,  s„»,  <t>,  t)  is  satisfied,  $«,(<)  equal  to  X  implies  that  either  s„<  is  not  stable  over 
(^vaiidt  ^inviiid)i  or  ^ vf  is  stable  over  (l^viiidi  ^invaiidl  with  a  value  not  equal  to  s^(l^viiid). 

If  <f>  equals  Low  at  time  t,  and  sv>  is  not  stable  over  (invalid*  V  invalid)*  then  sv<  must  have 
value  X  over  some  non- zero  length  subinterval  of  ( t*.  valid,  ^invalid)-  To  see  this,  consider 
the  following.  If  sv>  is  not  stable  over  (<*.vaiid*  t^-invaiid),  then  either  s„.  is  constant  with 
value  X  over  (Invalid,  t*-invaiid),  or  s„>  holds  two  different  values  during  (Vvaiid.t*-in  valid)- 
In  either  case,  however,  sv>  must  have  value  X  over  some  non-zero  length  subinterval  of 
(*«-vaiid***-invaiid)i  since  a  digital  signal  must  take  on  the  value  X  over  some  open  interval 
between  any  two  times  that  it  has  a  valid  value. 

If  sv>  has  value  X  over  some  non-zero  length  subinterval  of  (**.„ iid*t*-invaiid),  we  can 
construct  a  4>'  such  that  av(t)  is  equal  to  the  value  of  s*  over  the  subinterval.  We  construct 
<t>'  by  introducing  into  the  subinterval  a  short  closed  interval,  during  which  <f>'  is  HIGH, 
followed  by  a  short  open  interval,  during  which  <t>'  is  X,  and  setting  <j>'  equal  to  Low  for 
times  after  the  open  X.  Observe  that  4>'  is  such  that  the  invalid  value  of  sv>  is  latched  and 
held  through  time  t.  We  can  thus  conclude  that  the  lemma  holds  when  <j>  is  Low  at  time 
t ,  and  s„»  is  not  stable  over  (t*.  valid,  V invalid)-  Figure  8  illustrates  how  <j>'  is  constructed. 

If  <j>  equals  Low  at  time  t,  and  sv>  is  stable  over  (invalid,  V invalid)!  with  a  value  not  equal 
to  su(4.v, ud),  we  can  show  that  <f>  must  equal  Low  at  time  invalid-  First,  by  the  definition 
of  digital  signal  and  Invalid*  4>  cannot  equal  X  at  t*.  valid,  since  this  would  imply  that  either 
Stable^,  Low)  of  STABLE^,  High)  contained  a  nonoverlapping  open  interval.  Similarly, 
<f>  cannot  equal  High  at  time  Invalid*  since  stable  over  (t*.  valid*  V invalid )j  with  a  value  not 
equal  to  sv(t*.vaiid)  would  imply  that  StaBLE(sV',  i)  would  contain  a  nonoverlapping  open 
interval,  for  some  valid  value  z.  Consequently,  we  can  restrict  the  proof  for  4>  equals  Low 
at  time  t,  and  s„»  is  stable  over  (t^-vaiid*  f ^.invalid))  with  a  value  not  equal  to  valid)*  to 
the  case  where  must  equal  Low  at  time  Invalid- 

If  ^  is  equal  to  Low  at  time  Invalid,  we  can  show  the  lemma  by  constructing  an  ap¬ 
propriate  pair  of  clock  signals,  4>\  and  <t>'2.  The  clock  signal  4>\  simply  has  value  Low  over 
valid* f ^-invalid j *  so  that  is  Low  over  [f^vaiid, *]•  By  lemma 3.1,  sv  at  timet  must  equal 

*v(t+.vaiid)*  ^  LegaL(s„,  3^,  <f>\,  t)  is  to  be  satisfied.  The  clock  signal  is  constructed  in 
a  way  similar  to  the  clock  signal  used  when  s„<  is  not  stable  over  (t*.v*iid*  Vinvaiidjj- 
By  construction,  sv  at  time  t  must  equal  the  value  of  sv>  during  (t^vaiid,  <*-invaiid)j,  if 
Legal(sv,  sV',  02, 0  is  to  be  satisfied.  Since  this  case  only  applies  if  sv'  is  stable  over 
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(Vv4iidi  Vinv«iid)j  with  a  value  not  equal  to  sv(t*.v*iid),  we  can  conclude  that  Legal(s(,, s„<,  <£j,  t) 
and  LEGAL(s/u,dv<,^j,t)  cannot  both  be  satisfied  by  any  possible  signal  s'v  whose  value  at 
time  t  is  valid.  Consequently,  the  lemma  holds  when  <f>  is  Low  at  time  t. 

If  <t>  is  J_  at  time  f,  we  can  show  the  lemma  by  applying  an  argument  identical  to  the 
one  for  4>  equal  to  Low  at  time  t.  Simply  annotate  <j>',  <j>[  and  <t>'2  so  that  they  are  all  Low 
at  time  t.  | 

Lemmas  3.4  and  3.5,  verify  facts  about  ideal  latches  that  are  needed  in  section  6  where 
we  show  that  ideal  circuit  components  can  be  used  to  model  complete  circuits.  In  addition, 
they  verify  the  intuitive  notion  that  the  output  signal  of  an  ideal  latch  cannot  suddenly 
become  valid,  while  the  clock  signal  of  the  latch  is  underdefined. 

Lemma  3.4  Let  sv>  be  the  input  signal,  sv  be  the  output  signal  and  <f>  be  the  clock  signal  of 
an  ideal  latch,  where  Legal(s„,  s^,  4>,  T)  for  the  latch  is  satisfied  for  all  time  T.  If  <f>  is  X 
over  the  interval  and  for  some  t  6  -V  is  not  stable  over  the  interval 

then  sv  must  be  constant  and  X  over  the  interval 

Proof:  The  first  step  in  the  proof  is  simply  to  show  that  sv>  not  stable  over  the  interval 
(t4,t]  implies  that  s„(<)  must  equal  X.  To  see  this,  consider  the  following.  Since  by 
definition  t*. invalid  must  be  less  than  or  equal  to  tt,  we  know  that  (t,,  f]  is  a  subinterval  of 
(V valid,  *]  and  consequently,  that  s„<  is  not  stable  over  (t*- valid,  f].  Recalling  the  definition 
of  stability,  we  therefore  know  that  during  (t^-vaiid,  <]  sv>  is  either  1)  not  constant  or  2) 
constant  with  value  X.  In  addition,  since  0  is  X  at  time  t,  the  value  of  sv  is  determined  in 
one  of  two  ways.  Either  sv«(t')  =  s„(t*-vaiid)  for  all  t'  €  (*d-vaiid,t]  and  sv(t)  =  sv(t^v4 ud)  or 
sv<(<')  ^  s„(t*.v alid)  for  some  time  t'  €  (*d-valid,*]  and  sv(t)  =X.  Now,  if  su<  is  not  constant 
during  (invalid, t],  then  for  some  time  during  (t„t]  its  value  cannot  be  equal  to  s„(f*_v aiid) 
and  s„(t)  must  equal  X.  Alternately,  if  is  constant  with  value  X  over  (V valid,  *],  then 
either  s„(V valid)  equals  X,  or  it  does  not.  In  either  case,  sv(t)  must  again  equal  X. 

The  finish  the  proof,  we  simply  must  show  that  s„<  not  stable  over  (t,,  t]  implies  that 
•V  is  not  stable  over  (t#,  T],  for  all  T  in  This  is  obviously  true,  however,  since  (t,,t] 

will  always  be  a  subinterval  of  (i„T].  | 

Lemma  3.5  Let  sv/  be  the  input  signal,  sv  be  the  output  signal  and  4>  be  the  clock  signal 
of  an  ideal  latch,  where  LEGAL(sv,  sv>,4>,  T)  for  the  latch  is  satisfied  for  all  time  T.  If  <j> 
is  X  over  some  interval  then  sv  can  change  value  at  most  once  during  and 

the  transition  must  be  from  a  valid  value  to  X. 

Proof:  While  this  lemma  may  seem  to  be  am  obvious  consequence  of  lemma  3.4,  there  are 
in  fact  four  possible  cases  that  must  be  considered  in  the  proof.  First,  sv>{T)  may  equal 
s«(*d-vaiid)  for  all  T  €  (<d-v«iid,  f«]j.  In  this  case,  s„  equals  sv(4.v*ad)  ov«r  and  sv  does 

not  change  value  at  all  during  the  interval.  Second,  sv>(T)  may  be  constant  with  some 
value  that  is  not  equal  to  sv(t«-vaUd)  for  all  T  €  (£*-vmiid,  tc]j.  In  this  case,  sv  equals  X  over 
(t, ,  te }  and  once  again  sv  does  not  change  value  at  all  during  the  interval.  Third  for  some  t 
in  (t«,te^,  V  may  be  stable  with  value  su(fd-v«iid)  over  (<d-vmiid,  T]  for  all  T  in  (t„t],  but  not 
for  any  T  in  (t,  In  this  case,  equation  3  and  lemma  3.4,  imply  a  single  value  transition, 
with  sv  equal  to  sv(4-v«iid)  over  (<„*'],  and  equal  to  X  over  Finally,  for  some  t  in 

■V  may  be  stable  with  value  not  equal  to  sv(t^.v»iid)  over  (Vv«iid,  T)  for  all  T  in 
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but  not  for  any  T  in  la  this  case,  equation  3  and  lemma  3.4  imply  that  the 

value  of  sv  is  -L  over  the  entire  interval,  (t,,  with  no  transitions.  | 

As  a  final  note,  we  have  assumed  throughout  this  section,  that  the  input  signals  of 
ideal  components  are  digital  signals,  but  have  made  no  attempt  to  determine  whether  this 
implies  that  the  output  signals  are  digital.  We  address  this  question  in  section  6,  in  the 
more  genera]  context  of  complete  circuits. 

4  Strictly  Clocked  Circuits 

This  section  presents  our  basic  model  for  how  circuit  components  are  used  to  construct 
complete  circuits.  Our  representations  for  a  circuit  and  a  computation  on  it  are  given,  and 
we  define  the  class  of  strictly  clocked  circuits,  that  is  the  subject  of  the  remainder  of  this 
thesis. 

A  circuit  is  constructed  by  interconnecting  a  finite  number  of  electrical  components, 
such  as  transistors  and  logic  gates.  We  represent  a  circuit  as  a  directed  graph  G  =  ( V ,  E), 
where  each  vertex  in  V  is  a  circuit  component,  and  (u,v)  €  E  if  the  output  signal  of 
u  is  an  input  signal  of  v.  We  assume  that  each  component  has  an  input  edge  for  each 
of  its  input  signals,  which  is  equivalent  to  assuming  that  a  circuit  contains  no  “floating 
wires”.  Observe  that  in  this  representation,  things  like  wires  in  a  circuit  are  considered  to 
be  electrical  components.  Intuitively,  this  is  how  it  should  be,  since  objects  like  wires  can 
in  fact  have  very  complex  electrical  behavior.  A  computation  C  on  a  circuit  G  =  (V,  E)  is 
a  set  of  signals,  that  contains  for  each  component  v  in  V  a  signal  sv. 

A  computation  C  implicitly  contains  two  sets  of  circuit  inputs.  The  first  is  the  set  of 
clock  signals  for  latches.  We  denote  this  set  as  $,  and  assume  that  it  contains  only  digital 
clock  signals.  The  second  is  the  set  of  signal  values  at  time  —  oo.  This  set  is  denoted  as  2  , 
and  specifies  the  initial  conditions  of  the  circuit  components.  In  this  thesis,  we  consider  $ 
to  be  constant  for  all  computations  on  a  particular  circuit,  thus  making  Z  the  only  circuit 
input. 

A  digital  circuit  is  a  circuit  G  —  (V,  E),  where  V  contains  only  digital  circuit  compo¬ 
nents,  and  computations  on  G  contain  a  unique  signal  sv  for  each  component  in  V.  Just 
as  for  individual  digital  components,  we  define  a  constraint  for  a  digital  circuit 

Legal(C,<) 

that  if  satisfied  at  time  t,  indicates  that  at  time  t  all  signals  in  C  arc  consistent  with  the 
behavior  of  each  digital  component  in  V.  An  entire  computation  C  is  said  to  be  legal,  if 
Legal(C,  T)  is  satisfied  for  all  T. 

The  stipulation  that  sv  be  unique  is  not  equivalent  to  assuming  that  only  a  single  com¬ 
ponent  can  “drive”  a  particular  wire,  since  a  buss  can  be  viewed  as  an  electrical  component 
with  an  input  for  each  component  that  can  drive  it.  Observe,  however,  that  the  unique¬ 
ness  of  sv  does  imply  that  a  signal  in  a  computation  only  has  to  satisfy  the  output  signal 
constraint  of  a  single  digital  component.  Consequently,  our  definition  of  a  digital  circuit 
includes  a  tacit  assumption  that  the  function  associated  with  a  functional  element  specifies 
a  value  for  all  possible  combinations  of  valid  input  signal  values.  In  the  case  of  a  buss, 
this  assumption  is  equivalent  to  assuming  that  function  associated  with  the  buss  is  able  to 
“resolve”  any  buss  conflicts. 

This  thesis  considers  digital  circuits  that  have  all  of  the  following  properties: 
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1.  The  set  of  clocks  $  is  finite,  and  its  elements  are  fully  specified  digital  clock  signals. 
Circuits  with  this  property  are  statically  clocked. 

2.  There  exists  a  start  time,  ttUirt  not  equal  to  — oo,  such  that  all  signals  in  $  are  constant 
over  the  interval  [— oo,  fJtar<].  Circuits  with  this  property  are  statically  initialized. 

3.  For  any  time  t,  every  cycle  in  G  contains  at  least  one  latch  whose  clock  signal  has 
value  Low  at  time  t.  Circuits  with  this  property  are  synchronous. 

A  circuit  with  all  these  properties  is  said  to  be  a  strictly  clocked  circuit. 

Of  the  three  properties  of  a  strictly  clocked  circuit,  static  initialization  and  synchroneity 
are  effectively  met  by  most  MOS  circuits.  For  example,  most  circuits  incorporate  some 
form  of  reset  mechanism,  that  provides  a  means  of  establishing  a  start  time  for  subsequent 
computations.  Synchroneity  is  also  generally  met,  since  circuits  typically  use  latches  to 
prevent  race-conditions  between  combinational  logic  blocks  designed  for  minimum  delay. 
Static  initialization  and  synchroneity  may  not  be  met  by  designs  that  are  pushing  the  state- 
of-the-art  in  circuit  design,  but  we  believe  that  with  appropriate  extensions  our  model  can 
be  generalized  to  circuits  without  these  properties. 

Many  modern  MOS  circuits  are  not  statically  clocked,  and  it  is  less  clear  whether 
our  model  can  be  generalized  to  circuits  without  this  property.  The  difficulty  is  related 
to  the  problem  described  in  section  3,  where  it  was  noted  that  determining  whether  the 
output  signals  of  functional  elements  are  underdefined  or  undefined  is  too  computationally 
expensive  to  be  practical.  If  we  are  unable  to  determine  the  outputs  of  functional  elements, 
using  these  outputs  as  clock  signals  introduces  additional  uncertainty.  The  implications  of 
this  uncertainty  are  at  the  time  of  this  writing  not  clear. 

5  Computational  Predicates 

In  this  section  we  define  the  class  of  computational  predicates ,  that  can  be  used  to  prove 
properties  of  strictly  clocked  circuits.  We  begin  by  discussing  some  of  the  issues  of  analyzing 
the  time  dependent  behavior  of  a  strictly  clocked  circuit,  and  then  develop  the  mechanism 
of  computational  ordering  for  performing  such  analysis.  In  addition,  the  important  concept 
of  circuit  configurations  is  also  introduced. 

A  primary  goal  of  this  thesis  is  to  show  that  our  models  for  ideal  circuit  components 
also  form  a  model  for  complete  circuits.  Until  now,  we  have  only  examined  the  behavior  of 
isolated  digital  components.  It  remains  to  be  shown  whether  a  group  of  digital  components 
can  be  used  in  aggregate  to  form  a  circuit  that  exhibits  reasonable  behavior.  For  example, 
do  legal  computations  exist  for  strictly  clocked  circuits? 

Unfortunately,  it  is  not  clear  how  to  prove  properties  of  strictly  clocked  circuits,  since 
there  exists  many  indirect  constraints  on  the  signals  in  a  legal  computation.  Consider,  for 
example,  the  circuit  in  figure  9,  where  the  latch  A  not  only  places  constraints  between  the 
values  of  signals  sv  and  sv«,  but  via  functional  element  B  also  indirectly  places  constraints 
between  the  values  of  sv<  and  sv».  The  situation  is  made  even  more  difficult  by  the  fact  that 
the  path  via  components  A,  B,  C  and  D  implies  that  there  exists  an  indirect  constraint 
between  sv  and  itself.  Accounting  for  all  such  indirect  constraints  becomes  a  formidable 
task,  when  considering  an  entire  circuit  for  all  possible  values  of  time. 
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Figure  9:  Shown  is  a  four-component  circuit.  Observe  that  the  latch  A  not  only  places  constraints  between 
the  values  of  signals  sv  and  sv>,  but  via  functional  element  B  also  indirectly  places  constraints  between 
the  values  of  *«>  and  *v" 

A  common  method  for  attacking  problems  that  are  characterized  by  indirect  constraints, 
is  induction.  The  method  of  induction  that  we  will  use,  proves  that  a  set  of  objects  has  a 
certain  property  by  using  the  following  three  basic  steps: 

1.  The  desired  property  for  the  set  is  reformulated  as  a  predicate  on  elements  in  the  set. 
The  predicate  is  such  that  if  the  predicate  is  not  satisfied  by  any  elements  of  the  set, 
then  the  set  has  the  original  property. 

2.  An  acyclic  induction  ordering  of  all  elements  in  the  set  is  established,  such  that  if  the 
predicate  is  satisfied  by  some  element,  then  some  element  immediately  earlier  in  the 
ordering  must  have  also  satisfied  the  predicate. 

3.  Elements  that  have  no  other  elements  before  them  in  the  ordering,  are  shown  to  not 
satisfy  the  predicate. 

Once  all  three  steps  have  been  completed,  the  following  reasoning  is  used  to  show  that  the 
original  set  must  have  the  original  property.  Assume  that  there  exist  elements  of  the  set 
that  satisfy  the  predicate,  and  follow  the  acyclic  induction  ordering  back  to  find  an  element 
z,  such  that  z  satisfies  the  predicate,  but  all  elements  immediately  before  z  in  the  ordering 
do  not  satisfy  the  predicate.  The  only  way  for  such  an  z  to  exist,  is  if  z  has  no  elements 
before  it  in  the  induction  ordering.  Consequently,  since  elements  with  no  elements  before 
them  in  the  induction  ordering  have  been  explicitly  shown  to  not  satisfy  the  predicate,  the 
assumption  that  any  elements  satisfied  the  predicate  must  have  been  in  error. 

The  astute  reader  will  note,  however,  that  using  inductive  methods  is  much  harder  than 
the  preceding  description  indicates.  Particularly  when  continuous  quantities,  like  time,  are 
involved.  The  difficulty  resides  in  the  possibility  that  we  could  follow  the  ordering  back 
indefinitely,  without  ever  finding  a  suitable  element  z.  Consider,  for  example,  the  property 
“is  less  than  or  equal  to  5”,  for  the  non-negative  real  numbers,  inductively  ordered  by  the 
less-than  operator.  Clearly,  the  predicate  “is  less  than  or  equal  to  5”  is  not  true  at  0,  which 
is  the  only  non-negative  real  number  that  has  no  other  non-negative  reals  that  are  less  than 
it.  In  addition,  for  any  number  z  that  is  not  less  than  or  equal  to  5,  we  cam  obtain  another 
real  number  y  that  is  less  than  z,  but  still  not  less  than  or  equal  to  5,  by  using  the  equation 
y  s  z  —  0.5(z  —  5).  Consequently,  the  property  “is  less  than  or  equal  to  5”,  can  be  fitted 
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into  our  framework  for  an  inductive  proof,  but  it  is  obvious  that  not  all  non-negative  real 
numbers  are  less  than  or  equal  to  5. 

Fortunately,  the  computational  predicates  form  a  class  of  properties,  for  which  inductive 
techniques  can  be  adapted.  A  predicate  is  a  function  that  maps  signal-time  pairs  into  the 
set  {TRUE,  False}.  A  predicate  V  is  said  to  be  satisfied  by  a  signal  sv  at  time  t,  if 
V(sv,t)  =  TRUE.  A  predicate  V  is  a  computational  predicate  if  it  has  the  following  five 
properties. 

1.  Every  signal-time  pair  (s,  t )  in  a  computation  C  is  mapped  by  V  to  the  set  {TRUE,  False}. 
A  predicate  with  this  property  is  fully  defined. 

2.  V(sv,t)  =  TRUE  must  imply  that  V(sv,T)  =  TRUE  for  all  T  greater  than  or  equal 
to  t.  A  predicate  with  this  property  is  monotone. 

3.  If  s„  is  the  output  signal  for  digital  component  t>,  then  P(sv,t)  =  TRUE  must  imply 
that  V(sv>,t')  =  TRUE,  for  some  sv>  that  is  an  input  signal  for  v,  and  some  t'  that  is 
less  than  or  equal  to  t.  A  predicate  with  this  property  is  causal. 

4.  If  sv  is  the  output  signal  for  some  latch  whose  clock  signal  has  value  Low  at  t,  then 
P(sv,T)  =  TRUE  over  some  interval  (t,  t')  must  imply  that  V(sv,t)  =  TRUE,  and 
V(sv,T)  =  False  over  some  interval  [t\  t)  must  imply  that  V(sv,t)  =  False.  A 
predicate  with  this  property  is  latchable. 

5.  If  s„  is  the  output  signal  for  some  latch  whose  clock  signal  has  value  Low  at  —  oc, 
then  V{sv ,  — oo)  =  False.  A  predicate  with  this  property  is  uninitial. 

The  same  induction  ordering  is  used  in  all  the  inductive  proofs  for  computational  pred¬ 
icates.  Let  C  be  a  computation  on  a  strictly  clocked  circuit,  G  =  ( V,E ).  The  ordering 
used  to  to  inductively  prove  computational  predicates  is  called  the  computational  ordering. 

The  computational  ordering  orders  signals  based  on  two  orderings  of  signal-time  pairs.  The 
first  ordering  for  signal-time  pairs  is  based  on  the  times,  while  the  second  ordering  is  based 
on  the  signals. 

The  first  ordering  for  signal-time  pairs  is  done  chronologically  by  time.  The  signal-time 
pair  (s„,<)  satisfies  the  predicate  V  chronologically  before  the  signal-time  pair  (W#),  if 
V(sv,  t)  equals  TRUE,  and  t  is  less  than  t'.  In  general,  chronological  ordering  is  not  sufficient 
to  isolate  a  single  signal-time  pair  that  satisfies  V  before  all  others.  For  example,  suppose 
that  V{sv,t)  equals  TRUE,  if  sv(t)  equals  X.  We  cannot  guarantee  that  there  exists  a 
signal-time  that  satisfies  V  chronologically  before  all  others,  since  equation  1  states  that 
the  input  signal  of  a  functional  element  changing  to  X  constrains  the  output  signal  of  that 
functional  element  to  change  to  X  simultaneously. 

To  order  signal-time  pairs  that  satisfy  V  at  the  same  time  t,  we  consider  the  structure  of 
the  circuit  G.  For  any  strictly  clocked  circuit  G,  and  time  t,  the  set  of  clock  signals  $  maps 
to  each  latch  a  value  for  its  clock  input.  Until  some  clock  signal  changes  value,  the  circuit 
is  equivalent  in  behavior  to  the  circuit  Gt  that  is  obtained  by  replacing  latches  mapped  to 
HIGH  with  zero-delay  identity  functional  elements,  and  deleting  the  input  edges  to  latches 
mapped  to  Low.  The  outputs  of  latches  mapped  to  Low  are  effectively  external  inputs, 
since  their  value  cannot  be  effected  by  the  values  of  other  signals  in  the  circuit.  Since  G 
is  strictly  clocked,  and  therefore  synchronous,  Gt  will  always  be  acyclic  and  consequently 
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provides  a  partial  ordering  of  the  digital  components  in  G.  The  circuit  Gt  is  the  configura¬ 
tion  of  G  at  time  t,  and  provides  a  way  to  break  ties  between  signal-time  pairs  that  satisfy 
V  at  time  t.  Let  s„  and  sv>  be  the  output  signals  of  two  digital  components  v  and  v'  in 
V,  respectively.  The  signal-time  pair  (sv,f)  satisfies  V  causally  before  the  signal  time  pair 
if  both  V(sv,t)  and  1>(sv<,t)  equal  True,  and  there  exists  a  path  from  u  to  v'  in 

Gt. 

Unfortunately,  a  naive  combination  of  chronological  and  causal  ordering  does  not  allow 
us  to  inductively  prove  computational  predicates.  One  might,  for  example,  think  that  we 
could  consider  a  signal-time  pair  ( sv,t )  to  be  before  a  signal-time  pair  (sv>,t'),  if  either 
(sv,t)  satisfies  V  chronologically  before  (su<,t'),  or  (-V 0  satisfies  V  causally  before  t'). 
Observe,  however,  that  we  can  setup  a  situation  identical  to  the  earlier  “less  than  or  equal 
to  5”  example,  by  defining  a  predicate  that  is  TRUE  for  a  signal-time  pair  (sv,  t),  if  t  is 
greater  than  5. 

Fortunately,  we  can  perform  inductive  proofs  of  computational  predicates,  by  using 
chronological  and  causal  ordering  to  establish  a  related  ordering  that  is  over  the  set  of  sig¬ 
nals.  Let  and  sv>  be  any  two  signals  in  a  computation  C.  The  signal  sv  is  computationally 
before  sv/,  for  the  predicate  V,  if 

1.  there  exists  a  time  f,  such  that  (s„,t)  satisfies  V  chronologically  before  (sv>,T)  for  all 
T,  or 

2.  there  exists  an  interval  £<„<*],  such  that  for  all  T  in 

(a)  (sv,T)  and  (sv/,T)  satisfy  V , 

(b)  ( sv ,  t )  and  (sv>,  t)  do  not  satisfy  V  for  any  t  before  ([t,,  teJ,  and 

(c)  the  configuration  of  the  circuit  Gt  is  constant,  and  (s„,T)  satisfies  V  causally 
before  (s„/,T). 

Observe  that  computational  ordering  is  an  ordering  of  the  set  of  signals.  Since  for  any 
circuit /computation  there  are  only  a  finite  number  of  signals,  computational  ordering  is 
not  prone  to  the  difficulties  noted  in  the  “less  than  or  equal  to  5”  example. 

Intuitively,  computational  ordering  first  orders  signals  by  when  they  first  satisfied  V, 
and  breaks  ties  based  on  the  configuration  of  the  circuit  at  the  time  V  was  first  satisfied. 
Extending  our  terminology,  we  say  that  signals  ordered  using  chronological  ordering  are 
chronologically  ordered,  and  similarly,  signals  ordered  using  causal  ordering  are  causally 
ordered.  Observe  that  since  causal  ordering  for  signed-time  pairs  is  only  a  partial  ordering, 
computational  ordering  of  signals  is  also  only  partial.  A  signal  s„  is  computationally  first 
for  a  predicate  V ,  if  no  other  signal  is  computationally  before  sv. 

The  first  step  in  showing  that  computational  predicates  can  be  proved  inductively,  is  to 
show  that  if  there  exists  a  signal-time  pair  that  satisfies  a  computational  predicate  V,  then 
there  exists  a  computationally  first  signal  for  V.  Lemmas  5.1  and  5.2  prove  the  existence 
of  a  computationally  first  signal,  in  two  steps.  First,  lemma  5.1  shows  that  chronological 
ordering,  can  isolate  a  set  of  signals,  such  that  the  interval  te]  needed  for  applying 
causal  ordering  exists.  Second,  lemma  5.2  shows  that  at  least  one  computationally  first 
signal  can  be  found  in  the  set  isolated  by  lemma  5.1. 
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Lemma  5.1  If  V  is  a  monotone  predicate,  then  for  any  two  digital  signals  sv  and  sv< , 
either  one  signal  is  chronologically  before  the  other  or  V(sv,T)  equals  V[svi,T)  for  all  T . 

Proof:  If  V  is  monotone,  then  for  any  signal,  the  signal  either  satisfies  V  for  all  time, 
satisfies  V  for  no  time,  or  for  some  time  t  does  not  satisfy  V  over  the  interval  [— oc,  <)j 
but  does  satisfy  V  for  all  times  after  the  interval.  Observe,  however,  that  if  V(sv,T)  does 
not  equal  V(sv>,T)  for  all  T,  then  V  must  be  satisfied  by  one  signal  at  some  time  strictly 
before  ail  the  times  that  V  is  satisfied  by  the  other,  which  by  definition  implies  that  one 
signal  is  chronologically  before  the  other.  | 

We  now  show  that  if  a  computational  predicate  V  is  ever  satisfied  by  some  signal-time 
pair  from  a  computation  on  a  strictly  clocked  circuit,  then  there  exists  some  signal  in  the 
computation  that  is  computationally  first  for  V. 

Lemma  5.2  Ltt  V  be  some  computational  predicate,  and  C  be  a  computation  on  some 
strictly  clocked  circuit  G.  If  for  some  signal  sv  in  C  and  time  t,  V{sv,t)  is  TRUE,  then 
there  exists  a  signal  in  C  that  is  computationally  first  for  V. 

Proof:  By  definition,  there  exists  a  computationally  first  signal,  unless  there  exists  some 
set  of  signals  5  such  that  for  every  signal  s„  in  5,  there  exists  another  signal  s„>  in  S  that  is 
computationally  before  s„.  We  can  show,  however,  that  such  a  set  of  signals  cannot  exist. 

We  first  show  that  the  existence  of  such  a  set  5  implies  that  there  must  exist  a  time 
t ,  such  that  all  signals  in  the  sequence  do  not  satisfy  V  over  the  interval  [— oo,f)j  but  do 
satisfy  V  for  all  times  after  the  interval.  Consider  the  following  argument.  Since  there  are 
only  a  finite  number  of  signals,  the  existence  of  S  implies  that  there  exists  a  cyclic  sequence 
of  signals,  such  that  each  signal  in  the  sequence  is  computationally  before  the  next.  If  we 
consider  each  adjacent  pair  of  signals  in  the  sequmce,  lemma  5.1  guarantees  that  any  pair 
must  either  be  chronologically  ordered  or  satisfy  V  at  all  the  same  times.  Observe,  however, 
that  no  pair  of  adjacent  signals  can  be  chronologically  ordered,  since  we  could  then  follow 
the  cyclic  sequence  back  and  conclude  that  some  signal  was  chronologically  before  itself. 
Thus,  the  existence  of  S  implies  that  there  must  exist  a  time  t,  such  that  all  signals  in  the 
sequence  do  not  satisfy  V  over  the  interval  [— oo,  t  )j  but  do  satisfy  V  for  all  times  after  the 
interval. 

Now,  since  G  is  strictly  clocked,  there  must  exist  a  time  t'  >  t  such  that  the  configuration 
of  G  is  constant  over  the  interv<\l  |[i,t#],  where  contains  t  if  and  only  if  the  interval 
[ — oo,  t did  not.  To  see  this,  consider  the  following.  Since  G  is  strictly  clocked,  and 
therefore  statically  clocked,  $  contains  a  finite  number  of  locally  finite  digital  clock  signals. 
Consequently,  G  can  change  configurations  only  a  finite  number  of  times  during  any  interval 
[tx.fj],  where  <i,  t3  €  1R.  In  addition,  since  G  is  strictly  clocked,  and  therefore  statically 
initialized,  we  can  also  conclude  that  G  can  change  configurations  only  a  finite  number 
of  times  during  any  interval  [ti.tj],  where  ti,tj  €  IRU  {— oo}.  Novi,  if  we  let  t"  be  any 
time  greater  than  t,  by  the  preceding  arguments,  G  can  change  configuration  only  a  finite 
number  of  times  during  the  interval  j[f,  f"].  Consequently,  there  must  exist  a  t'  greater  than 
or  equal  to  t  but  less  than  t"  such  that  the  configuration  of  G  is  constant  over  KM*)- 

Now,  let  Gt  be  the  configuration  corresponding  to  the  interval  j(t,t'].  Since  none  of 
the  signals  in  the  sequence  are  chronologically  before  any  of  the  others,  the  fact  that  each 
signal  is  computationally  before  the  next,  implies  that  there  exists  a  cycle  in  Gt.  This, 
however,  is  not  possible,  since  G  is  strictly  clocked,  and  therefore  synchronous.  | 


We  can  now  prove  the  theorem  that  will  allow  us  to  easily  determine  whether  a  com¬ 
putation  on  a  strictly  clocked  circuit  has  a  particular  property.  Theorem  5.1  states  that  no 
computational  predicate  can  be  satisfied  by  any  signal-time  pair  from  a  computation  on  a 
strictly  clocked  circuit.  Consequently,  a  computation  on  a  strictly  clocked  circuit  can  be 
easily  shown  to  have  a  particular  property,  if  the  negation  of  the  property  can  be  cast  as  a 
computational  predicate. 

Theorem  5.1  A ro  computational  predicate  can  be  satisfied  by  any  signal-time  pair  from  a 
computation  on  a  strictly  clocked  circuit. 

Proof:  Let  V  be  a  computational  predicate,  and  C  be  a  computation  on  a  strictly  clocked 
circuit  G.  If  V  is  satisfied  by  some  signal-time  pair  from  C,  then  lemma  5.2  implies  that 
there  exists  in  C  a  computationally  first  signal  for  V.  We  can  show,  however,  that  no  such 
computationally  first  signal  can  exist,  and  thus  conclude  that  V  cannot  have  been  satisfied 
by  any  signal-time  pair  from  C. 

Let  s„  be  the  implied  computationally  first  signal.  Since  V  is  computational,  and 
therefore  uninitial  and  monotone,  we  know  that  there  exists  a  t  such  that  V  is  not  satisfied 
by  sv  over  the  interval  (— oc,t]j,  but  V  is  satisfied  by  sv  for  all  time  after  the  interval.  In 
addition,  by  repeating  the  argument  used  in  lemma  5.2  we  know  that  there  exist  a  time 
t'  >  t  such  that  the  configuration  of  G  is  constant  over  the  interval  KM*],  where  It,  t'] 
contains  t  if  and  only  if  the  interval  [— did  not. 

Using  the  interval  t'],  we  can  show  that  sv  must  be  the  output  signal  of  a  latch  whose 
clock  signal  has  value  Low  at  t.  Consider  the  following  argument.  If  sv  were  the  output 
signal  of  anything  other  than  a  latch  whose  clock  signal  had  ralue  Low  over  £m1,  then 
the  fact  that  V  is  computational,  and  therefore  causal  would  directly  imply  that  sv  was 
computationally  preceded  by  some  other  signal.  Consequently,  sv  must  be  the  output  signal 
of  a  latch  whose  clock  signal  has  value  Low  over  In  addition,  since  G  is  strictly 

clocked,  and  therefore  statically  clocked,  the  clock  signal  for  the  latch  that  corresponds  to 
sv  must  be  digital  and  must  have  value  LOW  over  the  closed  interval  [t,  t'].  Consequently, 
sv  must  be  the  output  signal  of  a  latch  whose  clock  signal  has  value  Low  at  t. 

Proof  of  the  theorem  is  now  easy.  So  far,  we  have  demonstrated  that  if  V  is  satisfied 
by  some  signal-time  pair  from  C,  then  there  must  exist  a  signal  sv  in  C  such  that 

1.  sv  is  the  output  signal  of  a  latch  whose  clock  signal  has  value  Low  at  time  t , 

2.  V  is  not  satisfied  by  sv  over  the  interval  [— oo,f]j,  and 

3.  V  is  satisfied  by  s„  for  all  time  after  the  interval  [— oo,t)j. 

No  such  signal  can  exist,  however,  since  the  fact  that  V  is  latchable  implies  conflicting 
values  for  P(sv,t).  | 

Theorem  5.1  is  significant  for  three  reasons.  First,  it  provides  a  way  to  perform  a 
“generic"  inductive  proof  for  a  property,  by  simply  casting  the  property  as  a  predicate, 
showing  the  negation  of  the  predicate  to  be  computational,  and  invoking  theorem  5.1.  In 
effect,  the  reference  to  theorem  5.1  repeats  the  basic  inductive  proof  that  was  amortized 
across  the  proofs  of  lemma  5.1,  lemma  5.2  and  theorem  5.1.  This  ability  to  indirectly 
repeat  the  inductive  argument  represents  a  great  notational  convenience.  Second,  the 
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theorem  provides  a  mechanism  for  integrating  the  limit  arguments  that  will  generally  be 
needed  to  show  the  latchability  of  a  predicate  into  the  inductive  framework  of  computational 
ordering.  Third,  the  theorem  allows  subsequent  proofs  to  focus  on  the  significant  properties 
of  a  predicate,  rather  than  the  arguments  that  make  use  of  them. 

6  Model  Consistency 

In  this  section,  we  formally  confirm  the  ability  of  digital  components  to  model  complete 
circuits.  Specifically,  we  show  that  there  exists  for  any  strictly  clocked  circuit  G  and  set  of 
initial  conditions  for  G,  a  unique  digital  computation  C  for  which  Legal(C,  T)  is  satisfied 
for  all  T.  In  addition,  the  usefulness  and  generality  of  theorem  5.1  is  demonstrated  by  the 
use  of  computational  predicates  to  prove  the  different  properties  of  C. 

Electrical  circuits  possess  three  natural  properties,  that  strictly  clocked  circuits  must 
share  if  strictly  clocked  circuits  are  to  be  considered  representations  for  electrical  circuits. 
First,  for  any  set  of  initial  conditions,  an  electrical  circuit  has  some  behavior,  whether 
it  be  to  compute  some  function  or  to  catch  fire.  Second,  the  behavior  of  an  electrical 
circuit  is  such  that  the  output  signals  of  components  are  meaningful  input  signals  for  the 
components  that  use  them  for  this  purpose.  Third,  the  behavior  of  an  electrical  circuit  is 
deterministic  and  therefore  unique  for  a  particular  set  of  initial  conditions.  Circuits  that 
possess  all  these  properties  is  said  to  be  t veil  formed.  If  strictly  clocked  circuits  are  not  well 
formed,  then  strictly  clocked  circuits  are  incapable  of  accurately  reflecting  our  most  basic 
intuitive  notions  about  electrical  circuits. 

Of  the  three  natural  properties,  the  most  important  from  a  formal  stand  point  is  the 
existence  of  some  behavior.  For  strictly  clocked  circuits,  this  property  is  equivalent  to 
the  assertion  that  for  any  initial  conditions,  there  exists  a  computation  C  that  satisfies 
Legal(C,  T)  for  all  T.  If  no  such  computation  exists,  then  we  are  left  without  the  ability 
to  draw  conclusions  based  on  equations  1  and  3,  and  in  effect  are  left  with  nothing  but  a 
meaningless  formalism.  Observe  that  this  property  does  not  assert  that  the  signals  in  C 
must  necessarily  be  digital,  just  as  the  corresponding  property  for  electrical  circuits  allows 
for  catastrophic  behavior  such  as  catching  fire. 

Once  the  existence  of  a  computation  is  established,  the  other  two  natural  properties 
become  meaningful.  The  property  that  the  output  signals  of  components  be  meaningful 
inputs  signals,  is  equivalent  to  stating  that  C  contains  only  digital  signals.  Similarly,  the 
property  that  behavior  is  deterministic,  is  equivalent  to  stating  that  for  any  set  of  initial 
conditions,  C  is  unique.  Both  these  properties  are  “nice”  properties,  that  we  expect  prop¬ 
erly  operating  circuits  to  possess.  Observe,  however,  that  even  without  these  properties,  it 
would  still  be  possible  to  use  equations  1  and  3  to  reason  about  C. 

The  following  four  lemmas  state  that  strictly  clocked  circuits  possess  all  the  properties 
for  being  well  formed.  In  addition,  the  proofs  for  the  lemmas  demonstrate  bow  compu¬ 
tational  predicates  can  be  applied  to  different  types  of  properties.  Lemmas  6.1  and  6.2 
show  that  if  a  legal  computation  exists  for  a  strictly  clocked  circuit,  then  the  computation 
must  contain  only  digital  signals.  Lemma  6.3  and  theorem  6.1  show  that  there  exists  a 
unique  legal  computation  for  any  strictly  clocked  circuit  and  set  of  initial  conditions.  Lem¬ 
mas  6.1  and  6.2  are  presented  first,  because  the  straight  forward  computational  predicates 
they  utilize  provide  an  easier  introduction  to  how  properties  can  be  cast  as  computational 
predicates. 
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Lemma  6.1  Let  C  be  a  computation  on  some  strictly  clocked  circuit  G  =  {V,  E).  If  C 
satisfies  LEGAL  for  all  time,  then  for  each  signal  sv  in  C,  and  value  x  €  V,  the  values  t, 
such  that  $„(<)  =  x,  form  a  set  STABLE(sv,x)  of  nonoverlapping  closed  intervals. 

Proof:  The  lemma  obviously  holds,  if  we  can  show  that  no  signal-time  pairs  from  C  satisfy 
the  predicate  V\,  where: 

Predicate.  V\{sv,t)  equals  True  if,  for  some  x  €  V,  the  set  Stable(s  ,x)  0 
{t' :  t'  <  f}  contains  a  nonoverlapping  open  interval,  and  FALSE  otherwise. 

Thus,  we  can  prove  the  lemma  by  showing  that  V\  is  computational,  and  invoking  theo¬ 
rem  5.1. 

As  will  be  typical,  V\  is  clearly  fully  defined,  monotone  and  uninitial,  and  can  be  shown 
to  be  causal  and  latchable  with  an  analysis  of  the  different  clauses  of  equations  1  and  3. 
The  overall  strategy  for  causality  is  to  assume  that  V\  (s„,t)  =  TRUE,  and  demonstrate 
on  a  clause  by  clause  basis  that  if  equations  1  and  3  are  satisfied,  then  some  input  sig¬ 
nal  svi  must  also  have  a  nonoverlapping  open  interval  in  StaBLE(s„»,x)  n  {t' :  t'  <  *},  for 
some  value  x.  Specifically,  we  let  Rti,  be  the  nonoverlapping  open  interval  implied  by 
V\(sv,  t)  =  TRUE  and  consider  how  each  clause  in  equations  1  and  3,  that  may  have  to 
be  satisfied  by  sv  over  ([ti, <2 J,  effects  the  value  of  sv  at  the  end  points  ti  and  In  each 
case,  we  can  show  that  either  the  end  point  must  be  included  in  and  consequently 

cannot  have  caused  V\  to  be  True,  or  Pi(Sv»,f3)  =  TRUE,  for  some  input  signal  sv>.  This 
is  sufficient  for  showing  V\  to  be  causal,  since  ti  must  be  less  than  or  equal  to  t.  Since 
equations  1  and  3  have  a  total  of  six  different  clauses,  we  adopt  the  convention  of  itemiz¬ 
ing  parts  of  an  analysis  by  the  type  of  ideal  element  involved  and  the  specific  case  being 
considered. 

Functional  Elements 

sv{t)  =  /(si(t),  S2(t), .  .  .  ,  Sk{t))\ 

This  case  applies  if  s,  is  stable  for  all :  =  1, 2, . . . ,  k  over  the  interval  [t  -  d,t\.  Conse¬ 
quently,  the  inclusion  of  j[fi,  t^  in  STABlE(s„,  x)  U  { t '  :*'<<}  implies  that  all  s,  are  stable 
over  the  interval  —  d,  t2]j.  Observe,  however,  that  if  all  input  signals  were  stable  over 
[<i  —  d,  <2]  then  sv  would  have  to  be  stable  over  [*i,  fj]  and  contradicts  the  assumption  that 
K<i,  <2^  was  open.  Consequently,  there  must  exist  some  s,  that  is  stable  over  the  interval 
^ii<2^  but  not  stable  over  the  interval  [fi  —  d,  tj].  This  directly  implies  that  for  the  value 
x ',  that  s,-  has  during  the  interval  j(ti,  tj)j,  the  set  STABLE(si,  x')  must  contain  an  interval 
that  is  open  at  either  ti  or  Thus,  since  t\  must  be  less  than  or  equal  to  tj,  ^(si,^) 
must  equal  TRUE. 

sv(t)  =JL: 

Since  Stable(sv,x)  is  defined  only  for  elements  of  the  data  domain  V,  sv  cannot  be  1 
at  any  time  during  Consequently,  this  case  is  not  applicable. 

Latches 
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For  simplicity,  this  part  of  the  analysis  will  not  be  based  on  but  rather  on  two 

subintervals  of  tjjj.  Since  G  is  strictly  clocked,  and  therefore  statically  clocked  and  ini¬ 
tialized,  G  can  take  on  only  a  finite  number  of  configurations  during  the  interval  [-00,  tj). 
Consequently,  there  must  exist  t\  >  ti  and  t2  <  <2,  such  that  the  configuration  of  G  is 
constant  over  the  intervals  ^i,<2]  and  By  basing  our  analysis  on  these  two  end 

intervals,  we  avoid  the  complications  introduced  by  transitions  of  the  clock  input  and 
allow  ourselves  to  consider  each  end  point  separately.  This  is  important  since,  for  any  given 
circuit,  it  is  likely  that  the  different  ends  of  will  be  covered  by  different  clauses. 

sv(t)  =  sV'(t)  if  4>(t)  =  High.- 

Showing  causality  is  simple  for  this  case,  given  the  assumption  that  4>  is  a  digital  clock 
signal.  Consider  the  end  interval  t2j.  If  £<*,  t2]  is  closed,  the  end  interval  can  be  ignored. 
If  it  is  open,  consider  the  following.  Since  ^  is  a  digital  clock  signal,  STABLE^,  HIGH)  must 
contain  only  closed  intervals,  and  thus,  4>  must  have  value  HIGH,  and  s„  must  equal  sv>, 
during  the  entire  interval  [t\,t'2).  Consequently,  sv  stable,  but  not  equal  to  s„(ti),  during 
the  interval  |(fj,f2]  directly  implies  s„<  stable,  but  not  equal  to  sV'(ti),  during  the  interval 
Kti,f2].  The  other  end  interval  [#2 , <2])  can  be  covered  with  am  identical  argument. 


sv(t)  =  sv(Vv*iid)  if  4>{t)  =-l-: 

For  ^/|,f'2],  this  clause  always  implies  that  is  in  £fi,f2).  To  see  this,  observe  that 
since  sv  is  assumed  to  be  stable  over  £<i,  *2],  it  cannot  be  equal  to  _L  over  that  interval,  and 
thus  its  value  during  (*2*.v«iid’  *2]  must  equal  its  value  at  y^.  Consequently  sv  must  be 
stable  over  the  interval  [t'3^vai}d,t'7]  and  j(fi,f2]  cannot  have  been  open,  since  t2(^valid  must 
be  less  than  or  equal  to  t\. 

For  [t,1,t2^i  we  must  consider  the  value  of  <f>  at  <2*  If  <£(*2)  is  equal  to  Low,  then  sv(<2) 
will  equal  s„(t2<*-v*iid)  if  sv  equals  sv(<2*-v*ud)  over  (*2d-v*iid>  *2*-invaiid)-  Consequently,  since 
Sy  stable  over  implies  that  sv>  must  be  stable  over  (*2*-v»iidi  *2),  and  <2^.^^  equals 

f2,  *v  at  time  tj  must  be  equal  to  its  value  over  [tj,  t2)  and  thus  by  definition  sv  must  be 
stable  over 

If  <£(t2)  equals  X,  then  can  be  open  only  if  sv<  is  stable  over  (*2*.v»jid>f2),  but  not 

over  (t 2^- vaiidi  ^2]-  This,  however,  directly  implies  that  STABLE(sv<,x)n{f' :  t’  <  <},  contains 
an  open  interval  for  the  value  of  sv<  during  (*2*- invalid)  *2)- 

Finally  if  ^>(*2)  equals  HIGH,  then  sv(ti)  is  equal  to  s„*(<2)-  Consequently,  since  sv  stable 
over  [fj,f2>j  implies  that  s„/  must  be  stable  over  (*2*.vaiidi*2)»  [^,*2^  can  be  open  only  if  sv> 
at  time  t?  is  not  equal  to  its  value  over  the  interval  (^^-invaiid)  *2)-  Just  as  for  <£(*2)  equals 
X,  however,  this  implies  that  STABLE(s„<>z)  H  {*' :  t'  <  < } ,  contains  an  open  interval  for 
the  value  of  s ✓  during  (<2d-invaiid)  <2)- 

* 

s„(f)  =  3«(Vhi*h)  if  4>{t)  =  Low: 

For  ^i,I2],  the  fact  that  <j>  is  a  digital  clock  signal,  implies  that  <t>  must  be  Low  over 
[<i,f2].  Lemma  3.1  therefore  implies  that  sv  must  be  stable  over  [<i,t'2]  and  consequently, 
that  tj]  must  be  closed.  The  second  end  interval  can  be  covered  with  an  iden¬ 

tical  argument. 
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3«{t)  =-L: 

Just  as  for  functional  elements,  this  case  is  not  applicable,  since  STABLER,  x)  is  defined 
only  for  elements  of  the  data  domain  T>.  Having  addressed  all  clauses  of  equations  1  and  3, 
we  can  conclude  that  V\  is  causal. 

To  demonstrate  that  V\  is  latcbable,  we  assume  that  V\  is  not  latchable  and  show  that 
this  results  in  a  contradiction.  First,  we  let  su  be  the  output  signal  of  some  latch  whose 
clock  signal  is  Low  at  time  t.  Now  to  prove  that  if  V\(sv,T)  =  False  over  [*',<)  then 
V\ (sv,t)  =  False,  we  show  that  if  V\{svyT)  =  False  over  [<',*)  does  not  imply  that 
Vi(sv,t)  =  False,  then  there  must  exist  an  open  interval  such  that  the  configuration 
of  the  circuit  is  constant  over  [t, ,  <),  and  the  value  of  sv  over  [t,,  f )  is  constant  and  not  equal 
to  the  value  of  sv  at  t.  The  existence  of  such  a  interval  will  be  shown  to  be  a  contradiction, 
since  such  an  interval  is  not  possible  for  any  value  of  ^  over  [<„*)•  The  proof  that  if 
Vi(sv,  T)  =  TRUE  over  (t,  t'\  then  Pi(sv,t)  =  TRUE,  is  completely  symmetrical. 

Let  sv  be  the  output  signal  of  some  latch  whose  clock  signal  is  Low  at  time  f ,  and  assume 
that  Vi(sv>T)  =  FALSE  over  some  interval  [*', t)  but  V\ (sv,  f)  =  TRUE.  Since  V\  for  s„is 
not  TRUE  for  any  time  less  than  t,  the  open  interval  implied  by  V\{sv,t)  =  TRUE  must  in 
fact  be  open  at  t.  Consequently,  by  repeating  the  reasoning  from  the  proof  of  lemma  5.2, 
we  can  conclude  that  Vi(sv,T)  =  False  over  some  interval  [*', t)  but  Vi(sv,t)  =  True, 
implies  that  there  exists  some  t,  less  than  t,  such  that  the  configuration  of  the  circuit  is 
constant  over  [f,,t),  <md  the  value  of  sv  over  [t„t)  is  constant  and  not  equal  to  the  value 
of  sv  at  t.  We  can  show,  however,  that  such  a  t,  cannot  exist  for  any  value  of  4>  over  the 
interval  [t„t). 

It  is  easy  to  show  that  <t>  cannot  equal  LOW  or  HIGH  over  [f„t).  If  <f>  is  Low  over  [*,,<), 
then  the  fact  that  <f>  is  assumed  to  be  LOW  at  time  t  implies  that  <f>  is  Low  over  [tf ,  t]  and 
consequently  that,  by  lemma  3.1,  the  value  of  sv  over  the  interval  [*,,<)  cannot  be  different 
from  the  value  of  sv  at  t.  In  addition,  <f>  cannot  be  HIGH  over  [*„<),  since  <j>  equal  to  Low 
at  time  t  would  imply  that  <j>  was  not  a  digital  signal. 

Showing  that  <j>  cannot  be  X  over  [<„  t),  is  more  intricate,  since  it  requires  examining  two 
possible  cases.  First,  if  sv  has  a  valid  value  over  [£„*),  then  it  must  have  value  av(^a-»»iid) 
over  t).  Consequently,  we  can  conclude  that  the  input  signal  sv>  of  the  latch  is  constant 
and  equal  to  sv(Vv*ud)  over  *)•  Observe,  however,  that  equation  3  then  directly 

implies  that  the  value  of  s„  at  t  must  also  equal  sv(t^.v»iid)'  Similarly,  if  sv  does  not  have 
a  valid  value  over  (t„t),  then  it  must  have  value  1  over  and  the  input  signal  of 

the  latch  must  not  be  equal  to  Jv(**-v«iid)  over  [t^.«oid>0-  As  before,  however,  equation  3 
then  directly  implies  that  the  value  of  sv  at  t  must  also  equal  X.  Consequently,  if  <f>  is  X 
over  then  the  value  of  sv  over  the  interval  [t»,t)  cannot  be  different  from  the  value 

of  av  at  t. 

The  proof  that,  if  'Pi(aV)T')  =  TRUE  over  (t,**]  then  ■Pi(sv»0  =  TRUE,  is  symmetrical, 
except  that  we  establish  the  existence  of  a  te  greater  than  t,  such  that  the  configuration  of 
the  circuit  is  constant  over  (t,te]>  and  the  value  of  sv  over  (Me]  *8  constant  and  not  equal 
to  the  value  of  j„  at  t.  It  is  easy  to  show,  that  such  a  te  cannot  exist  for  any  value  of  <f> 
over  the  interval  (t,  te].  | 

The  second  property  of  a  digital  signed  requires  that  for  any  signal  sv  and  value  x  €  V, 
Stable(s„,x)  is  locally  finite.  Lemma  6.2  shows  that  STABLE(sv,x)  is  locally  finite  for 
any  signal  sv  in  a  legal  computation. 
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Lemma  6.2  Let  C  be  a  computation  on  some  strictly  clocked  circuit  G  =  (V,E).  If  C 
satisfies  Legal  for  all  time,  then  for  each  signal  sv  in  C,  and  value  x  6  V,  the  values  t, 
such  that  St,(0  =  x,  form  a  set  STABLE(sVi*)  that  is  locally  finite. 

Proof:  The  lemma  obviously  holds,  if  we  can  show  that  no  signal-time  pairs  from  C  satisfy 
the  predicate  Vi,  where: 

Predicate.  Vi {sv,t)  equals  TRUE,  if  sv  changes  value  an  infinite  number  of 
times  during  the  interval  [— co,f],  and  False  otherwise. 

Thus,  we  can  prove  the  lemma  by  showing  that  Vi  is  computational,  and  invoking  theo¬ 
rem  5.1. 

Just  as  for  V\ ,  the  predicate  Vi  is  clearly  fully  defined,  monotone  and  uninitial,  and  can 
be  shown  to  be  causal  and  latchable  with  an  analysis  of  the  different  clauses  of  equations  1 
and  3.  The  strategy  for  causality  is  to  assume  that  Vi (av,  t)  =  TRUE,  and  demonstrate 
on  a  clause  by  clause  basis  that  if  equations  1  and  3  are  satisfied,  then  some  input  signal 
•V  for  the  component  that  s„  corresponds  to  must  also  change  value  an  infinite  number  of 
times  during  [— oo,  f]. 

Functional  Elements 

For  functional  elements,  we  show  that  if  all  input  signals  change  value  only  a  finite 
number  of  times  during  [— oo,  t],  then  sv  can  changed  values  only  a  finite  number  of  times 
during  [— oo,  t}.  This  is  sufficient  for  showing  causality,  since  it  implies  that  if  sv  changes 
value  an  infinite  number  of  times  during  the  interval  [— oo,t],  then  some  input  signal  must 
also. 

If  all  input  signals  for  v  change  value  only  a  finite  number  of  times  during  [— oo,  t\,  then 
there  exists  a  partition  it  of  [— oo,  t]  that  partitions  [— oo,  f]  into  a  finite  number  of  intervals, 
where  all  input  signals,  for  the  component  that  «„  corresponds  to,  are  constant  during  each 
interval.  This  is  an  obvious  consequence  of  the  fact  there  are  only  a  finite  number  of  inputs 
to  any  functional  element,  and  therefore  only  a  finite  total  number  of  value  transitions, 
across  all  input  signals. 

It  is  now  easy  to  see  that  a  finite  number  of  value  transitions  for  all  inputs  during  [— oo,  t] 
must  imply  that  sv  cannot  change  value  an  infinite  number  of  times  during  [— oo,  <].  Given 
the  existence  of  the  partition  ir,  an  infinite  number  of  value  transition  of  s„  would  imply 
that  sv  must  change  value  an  infinite  number  of  times  during  some  interval  te)J  where 
all  inputs  are  constant  during  It  is  obvious  from  equation  1,  however,  that  the 

only  value  change  that  sv  can  under  go,  during  any  interval  over  which  all  its  inputs  are 
constant,  is  from  _L  to  some  valid  value,  and  consequently,  that  sv  can  change  value  at 
most  once  during 

Latches 

The  argument  for  level-sensitive  latches  is  identical  to  that  for  functional  elements, 
except  that  we  use  the  clock  signal  to  isolate  a  finite  interval  during  which  s„  must 
change  value  an  infinite  number  of  times. 

Since  G  is  strictly  clocked,  and  therefore  statically  clocked  and  initialized,  <j>  can  change 
value  at  most  a  finite  number  of  times  during  [— oo,f].  To  see  this,  consider  the  following. 


29 


Since  G  is  statically  initialized,  there  must  exist  a  time  tttaTt  not  equal  to  — oo,  such  that 
<t>  is  constant  over  the  interval  [—00,  t>tar,].  Consequently,  all  transitions  in  the  value  of 
<t>  must  occur  during  the  interval  [t,«ar«,  t\.  Since  t4tarl  is  not  equal  to  —00,  however,  the 
locally  finite  property  of  tj>  guarantees  that  <f>  cannot  change  more  that  a  finite  number  of 
times  during 

Just  as  for  functional  elements,  it  is  now  easy  to  see  that  a  finite  number  of  value 
transitions  of  the  input  signal  of  the  latch  sv<,  during  [-00,  t],  implies  that  sv  cannot  change 
value  an  infinite  number  of  times  during  [— 00,  t],  An  infinite  number  of  value  transition  of 
sv  would  imply  that  sv  must  change  value  an  infinite  number  of  times  during  some  interval 
it,,  where  <j>  is  constant  during  te).  Observe,  however,  that  if  4>  is  Low  over  j[ t„  te]j, 
then  by  lemma  3.1  s„  cannot  change  value  at  all  during  Alternately,  if  <f>  is  HIGH, 

sv  must  equal  sv>  over  and  sv  cannot  change  values  an  infinite  number  of  times 

during  te)j,  since  av*  is  assumed  to  change  value  only  a  finite  number  of  times  during 
Finally,  if  <f>  is  1  over  lemma  3.5  implies  that  sv  can  change  value  at  most 

once  during  te]j.  Since  High,  Low  and  JL  are  the  only  possible  values  for  4>,  we  can 
conclude  that  a  finite  number  of  .value  transitions  of  s^,  during  [—00,  t],  must  imply  that 
sv  cannot  change  value  an  infinite  number  of  times  during  [— 00,  tj. 

The  predicate  V2  can  be  shown  to  be  latchable  with  an  argument  completely  analogous 
to  that  used  for  Vi.  First,  we  let  a„  be  the  output  signal  of  some  latch  whose  clock  signal 
is  Low  at  time  t.  To  prove  that  if  ^(^v,  T)  =  FALSE  over  some  interval  [<',  t)  then 
V2(3v,t)  =  False,  we  show  that  if  V2(sv,T)  =  False  over  [t',  t)  does  not  imply  that 
P2(sv,  0  =  False,  then  there  must  exist  an  open  interval  [t,,  t)  such  that  the  configuration 
of  the  circuit  is  constant  over  [tf ,  t),  and  a„  changes  value  am  infinite  number  of  times  during 
[t„t).  The  existence  of  such  a  interval  will  be  shown  to  be  a  contradiction,  since  such  an 
interval  is  not  possible  for  any  value  of  <f>  over  The  proof  that,  if  V2(sv,  T)  =  TRUE 

over  (t,  t')  then  V2(sv,  t )  =  TRUE,  is  completely  symmetrical. 

Let  s„  be  the  output  signal  of  some  latch  whose  clock  signal  is  Low  at  time  t,  and 
assume  that  V2(sv,T)  =  False  over  (t',t)  but  V2(sv,t)  =  True.  Since  V2(3v,T)  is  not 
TRUE  for  amy  time  T  less  than  t ,  but  is  TRUE  for  t,  sv  must  change  vadue  an  infinite 
number  of  times  during  the  interval  (t",t),  where  i"  is  any  time  in  [<',<).  Consequently,  by 
repeating  the  reasoning  from  the  proof  of  lemma  5.2,  we  know  that  there  must  exist  some 
t,  less  than  t,  such  that  the  configuration  of  the  circuit  is  constant  over  [t,,  t),  and  sv  must 
change  value  an  infinite  number  of  times  during  the  interval  [t„t).  We  cam  show,  however, 
that  such  a  t,  cannot  exist  for  any  value  of  <i>  over  the  interval  [t„  t). 

It  is  easy  to  show  that  ^  cannot  equal  Low,  High  or  X,  over  [t„t).  If  <t>  is  Low 
over  [t„t),  then  sv  cannot  change  value  an  infinite  number  of  times  during  since  by 
lemma  3.1  sv  cannot  change  value  at  all  during  {*,,  t).  Alternately,  <t>  cannot  be  High  over 
[t„t),  since  the  assumption  that  4>  equals  Low  at  time  t  would  then  imply  that  4>  was  not 
a  digital  clock  signal.  Finally,  If  ^  is  1  over  [t„  t),  then  sv  cannot  change  value  an  infinite 
number  of  times  during  [t,,  t),  since  by  lemma  3.5  can  change  value  at  most  once  during 

The  proof  that  if  V2(sv,T)  —  TRUE  over  (t,t']  then  V2 (sv,t)  =  TRUE,  is  symmetrical, 
except  that  we  establish  the  existence  of  a  t,  greater  than  t,  such  that  the  configuration  of 
the  circuit  is  constant  over  (t,  te]  and  sv  changes  value  an  infinite  number  of  times  during 
(t,<e]-  By  the  exact  same  arguments,  such  a  tt  cannot  exist  for  any  value  of  4>  over  the 
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interval  I 

The  next  step  in  showing  that  our  model  is  well  formed,  is  to  establish  the  existence  of 
legal  computations  on  static  synchronous  circuits.  Until  now,  our  results  have  only  stated 
that  legal  computations  must  have  certain  properties,  and  consequently  have  little  content 
if  no  legal  computations  exist.  Lemma  6.3  establishes  the  significance  of  our  previous 
lemmas  and  theorems,  by  showing  that  legal  computations  exist  for  any  strictly  clocked 
circuit. 

The  proof  of  lemma  6.3  represents  two  significant  departures  from  the  methods  used  to 
show  lemmas  6.1  and  6.2.  First,  the  proof  does  not  assume  the  existence  of  a  given  static 
set  of  signals,  since  by  showing  the  existence  of  legal  computations,  the  lemma  effectively 
provides  the  static  mappings  that  previously  have  been  assumed.  Second,  the  proof  is 
basically  constructive  in  nature. 

Theorem  5.1  and  computational  predicates  would  seem  to  be  of  limited  use  when  trying 
to  show  the  existence  of  legal  computations,  since  it  is  not  possible  to  attribute  the  violation 
of  legality  to  a  single  component.  The  difficulty  is  that  in  general,  it  is  always  possible  to 
satisfy  equations  1  and  3  for  a  particular  component  by  violating  equations  1  and  3  for 
some  other  component.  Consequently,  predicates  on  signal-time  pairs  would  not  seem  to 
incorporate  insufficient  information  to  conclude  whether  there  exists  a  computation  that 
can  satisfy  equations  1  and  3  for  all  components  simultaneously.  Surprisingly,  we  can  still 
formulate  the  property  as  a  computational  predicate. 

Lemma  0.3  For  any  strictly  clocked  circuit  G  =  (V,E),  there  exists  for  any  set  of  initial 
conditions  2  a  computation  C  that  satisfies  LEGAL  for  all  time  t. 

Proof:  The  lemma  obviously  holds,  if  we  can  show  that  no  signal-time  pairs  satisfy  the 
predicate  V3,  where: 

Predicate.  V3 (s„, t )  is  True,  if  there  exists  no  computation  on  G  that  satisfies 
LEGAL  over  [— 00,  t],  where  the  signals  in  the  computation  equal  the  elements 
of  Z  at  time  —00,  and  FALSE  otherwise. 

Thus,  we  can  prove  the  lemma  by  showing  that  V3  is  computational,  and  invoking  theo¬ 
rem  5.1.  Observe  that  since  sv  is  not  considered  in  the  statement  of  V3,  it  is  essentially  a 
dummy  variable,  that  does  not  necessarily  have  any  association  with  G.  It  is  not  surprising 
that  sv  is  ignored,  since  we  are  proving  a  property  that  is  intrinsic  to  the  circuit  G,  and 
not  to  any  particular  computation  on  G. 

The  predicate  V3  is  clearly  fully  defined,  monotone  and  uninitial,  and  is  easily  shown 
to  be  causal.  To  see  that  V3  is  causal,  observe  that  V3  is  not  dependent  on  the  signal  that 
it  is  applied  to,  and  consequently  must  be  True  at  time  t  either  for  any  arbitrary  signal  or 
no  signals.  While  V3  is  not  “causal"  in  the  intuitive  sense  of  the  term,  the  predicate  does 
satisfy  the  formal  definition  of  causal  from  section  5. 

The  most  involved  part  of  showing  V3  to  be  computational,  is  demonstrating  that  it 
is  latchable.  The  difficulty  resides  in  the  fact  that  V3  is  not  dependent  on  the  component 
it  is  applied  to.  This  fact  implies  that  showing  latchability  is  essentially  showing  that  if  v 
is  the  any  component  in  V,  then  V3{sv,T)  =  TRUE  over  some  interval  (£,  f']  must  imply 
that  V3(sv,t)  =  TRUE,  and  V3(sv,T)  =  False  over  some  interval  [t\  t)  must  imply  that 
V3(sv,t)  =  False.  This  property  is  much  stronger  than  normal  latchability,  which  applies 


31 


only  to  latches  with  Low  clock  inputs.  The  strength  of  this  property,  raises  the  question  of 
whether  using  the  concept  of  a  computational  predicate  for  this  proof  is  merely  a  notations! 
contrivance.  Observe,  however,  that  by  using  a  computational  predicate,  we  are  able  to 
easily  determine  a  precise  way  to  prove  a  lemma  that  is  difficult  to  attack  intuitively. 

To  show  that  for  any  signal  s„,  V^s^T)  =  TRUE  over  (M#]  implies  V^(sv,t)  =  TRUE, 
the  strategy  is  to  let  Vz{av,  T)  =  TRUE  over  (t,  assume  that  ^(s*,  <)  =  FALSE,  and  show 
a  contradiction.  The  fact  that  Vs(sv,  t)  =  False  implies  that  there  exists  a  computation 
C  that  satisfies  Legal  over  [— oo,t].  We  use  this  computation  to  construct  a  computation 
C\  that  satisfies  LEGAL  over  the  interval  [— oo,f'],  where  t'  is  strictly  greater  than  t.  The 
existence  of  C1  is  a  direct  contradiction  to  the  assertion  that  ^(sv.T)  =  TRUE  over  (f,t'], 
and  consequently,  we  can  conclude  that  ^(sM)  —  TRUE,  when  Vz(av,T)  =  TRUE  over 

(M']. 

The  only  nontrivial  step  in  showing  that  for  any  signal  av,  ^(s,,,  T )  =  TRUE  over  (f,  t *] 
implies  V3 (sv,t)  =  TRUE,  is  using  the  implied  computation  C  to  construct  a  suitable  C'. 
The  construction  is  done  inductively,  based  on  the  configuration  of  G  over  an  interval  (t,  te]. 
Using  an  argument  similar  to  the  one  in  the  proof  for  lemma  5.2,  we  know  that  there  must 
exist  a  te  strictly  greater  than  f,  such  that  the  configuration  of  G  is  constant  over  (Me]- 

Now,  since  G  is  strictly  clocked,  and  therefore  synchronous,  C'  cam  be  constructed  if  we 
can  show  two  facts.  First,  we  need  to  show  that  from  C  we  cam  construct  a  C'  that  is  legal 
over  [— 00,  t],  and  signals  in  C'  that  are  output  signals  of  latches  whose  clock  signals  are 
Low  over  (t ,  fe]  satisfy  LEGAL  over  (t ,  tt\.  Second,  we  need  to  show  that  for  any  component 
v ,  if  there  exists  a  computation  that  is  legal  over  [— 00,  t],  and  whose  signads  satisfy  LEGAL 
over  (t,te],  for  all  components  with  paths  to  v  in  the  configuration  of  G  during  (Me],  then 
we  cam  construct  a  C'  that  also  satisfies  LEGAL  for  v  over  (Me]-  If  we  can  show  these  two 
faw:ts,  it  is  clear  that  we  cam  construct  a  suitable  C'  by  inducting  over  the  configuration  Gt 
of  G  during  (M«],  since  V  contains  only  a  finite  number  of  components  and  Gt  must  be 
acyclic. 

It  is  easy  to  see  that  we  cam  construct  a  C',  that  is  legad  over  [—00,  t],  where  signals  in 
C  that  are  output  signals  of  latches  whose  clock  signads  aLre  Low  over  (Me]  satisfy  LEGAL 
over  (Me]-  Consider  the  following.  Since  G  is  strictly  clocked,  and  therefore  statically 
clocked,  all  clock  signads  must  be  digital.  Consequently,  clock  signals  that  axe  Low  over 
(Me]  must  be  Low  over  [t,  f«].  Examining  equation  3,  however,  we  see  that  the  Legal 
constraints  for  latches  whose  clock  signals  are  Low  over  (Me]  sre  therefore  invariamt  over 
the  closed  interval  [Me].  Consequently,  since  the  computation  C  provides  output  signad 
values  that  satisfy  at  time  t  the  LEGAL  constraints  for  all  components,  we  can  construct  C! 
by  madcing  the  output  signads  of  latches,  whose  clock  signads  are  Low  over  (Me]<  constant 
with  these  values  over  (Me]- 

Now,  if  there  exists  a  computation  that  is  legad  over  [— 00,  t],  whose  output  signads  for 
components  with  paths  in  Gt  to  a  component  v,  satisfy  LEGAL  for  the  components  over 
(t,  <e],  it  is  easy  to  see  that  we  cam  construct  a  C'  such  that  LEGAL  for  v  is  also  satisfied  over 
(Mcj.  Simply  observe  that  if  all  input  signals  to  a  component  are  known  over  [— 00,  t*]  and 
the  value  of  the  output  signal  is  known  over  [— 00,  t],  equations  1  and  3  effectively  specify 
values  for  the  output  signad  that  satisfy  LEGAL  for  the  component  over  (M«]-  Since  each 
signal  in  C'  needs  to  satisfy  the  output  signal  constraint  of  only  a  single  component,  this 
last  point  effectively  concludes  the  proof  that  for  any  signal  s„,  V${av,T)  =  True  over 
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(t,t']  implies  V3 (sv,t)  =  TRUE. 

Using  a  similar  argument,  we  can  show  that  for  any  signal  sv,  V$(sv,  T)  =  False  over 
implies  that  V${sv,t)  =  False.  Consider  the  following.  If  Vz(sv,T)  =  False  over 
some  interval  [t',  t),  then  there  must  exist  a  computation  C,  that  satisfies  LEGAL  for  all 
time  in  [— 00,  t).  It  is  easy  to  show  that  the  values  of  the  signals  in  C  can  be  used  to 
construct  a  computation  C'  that  satisfies  Legal  over  [— 00,  t].  The  existence  of  C'  by 
definition  implies  that  "P3(su,t)  =  FALSE. 

The  construction  for  C'  when  P3 (sv,T)  =  FALSE  over  some  interval  [t\  t)  is  essentially 
identical  to  the  above  one  used  when  ^(s,,,  T)  =  True  over  some  interval  (t ,  te].  The  only 
difference  to  note  is  that,  given  C  over  [— oo,<),  equation  3  specifies  a  value  at  time  t  that 
satisfies  Legal  for  latches  whose  clock  signals  are  Low  at  time  t.  | 

We  can  now  easily  show  that  strictly  clocked  circuits  are  well  formed.  Theorem  6.1 
essentially  combines  the  results  of  lemmas  6.1  and  6.2,  and  notes  that  the  proof  of  lemma  6.3 
can  easily  be  used  to  show  the  stronger  result  of  uniqueness. 

Theorem  6.1  For  any  strictly  clocked  circuit  G  —  ( V ,  E),  there  exists  for  any  set  of  initial 
conditions  Z  a  unique  digital  computation  C ,  that  satisfies  LEGAL  for  all  time  t. 

Proof:  If  Z  is  a  set  of  initial  conditions  for  some  strictly  clocked  circuit  G  =  (V,  E),  then 
by  lemma  6.3,  we  know  that  a  legal  computation  C  must  exist  for  Z.  In  addition,  by 
lemmas  6.1  and  6.2  we  know  that  all  signals  in  C  must  be  digital  signals. 

We  can  show  that  C  is  unique,  by  repeating  the  proof  for  lemma  6.3  with  the  following 
slightly  modified  computational  predicate  V4. 

Predicate.  V4(sv,t )  is  TRUE,  if  there  exists  a  legal  computation  for  Z  on  G , 
that  is  not  equal  to  C  for  some  time  in  [-00,  t],  and  FALSE  otherwise. 

I 

Theorem  6.1  is  the  main  result  of  this  section  and  to  a  large  extent  the  entire  thesis. 
The  theorem  essentially  states  that  our  models  for  digital  components  and  digital  signals 
are  self  consistent,  when  combined  to  form  strictly  clocked  circuits.  When  combined  with 
the  lemmas  from  section  3,  the  theorem  also  states  that  strictly  clocked  circuits  exhibit 
behavior  that  matches  many  of  our  intuitive  notions  for  the  behavior  of  electrical  circuits.  In 
addition,  the  theorem  provides  an  indication  of  the  generality  of  computational  predicates, 
since  each  property  that  is  nee<’  by  the  theorem  can  be  cast  as  a  computational  predicate. 

7  Conclusion 

While  the  ultimate  purpose  of  any  model  is  to  provide  a  basis  for  analysis  algorithms,  it  is 
important  that  a  model  be  examined  in  its  own  right,  so  that  algorithms  based  on  it  can 
be  verified  for  correctness  and  bounded  in  running  time. 

Due  to  a  de-emphasis  on  formal  properties,  traditional  models  for  level-clocked  circuits 
have  lacked  the  kinds  of  rigorous  notions,  algebras  and  bounds  that  have  been  developed 
for  circuits  utilizing  edge- triggered  latches[9,  11].  Indeed,  the  rigorous  treatments  of  edge- 
triggered  have,  to  some  extent,  actually  hindered  the  development  of  formal  models  for 
level-clocked  circuits,  by  encouraging  the  assumption  that  modeling  digital  circuits  is  a 
“solved’1  problem.  In  fact,  however,  while  level-clocked  circuits  can  be  designed  to  mimic 
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the  behavior  of  edge-triggered  latches,  the  behavior  of  level-clocked  circuits  is  fundamen¬ 
tally  different,  and  must  be  modeled  in  its  own  right  if  any  accurate  analysis  of  level-clocked 
circuits  is  to  be  performed. 

This  thesis  has  presented  the  background  for  a  formal  model  for  level-clocked  circuitry. 
The  model  has  been  formulated  explicitly  to  support  mathematically  precise  manipulation, 
while  maintaining  the  ability  to  accurately  map  electrical  signals.  The  model  incorporates 
low  level  features,  such  as  the  “undefined”  values  that  electrical  signals  take  on  when  they 
change  between  valid  logic  levels,  and  high  level  features,  such  as  the  proof  techniques 
based  on  computational  predicates. 
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